From 51a689b4a17f66267353ecf06eeaba2c9287ab8d Mon Sep 17 00:00:00 2001 From: Nhu Do Date: Wed, 16 Jul 2025 11:41:15 -0400 Subject: [PATCH 1/6] CCA updated firewall UI updates (#56555) Co-authored-by: Tim Rogers Co-authored-by: hubwriter --- ...g-the-firewall-for-copilot-coding-agent.md | 29 +++++++++++++------ 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/content/copilot/how-tos/agents/copilot-coding-agent/customizing-or-disabling-the-firewall-for-copilot-coding-agent.md b/content/copilot/how-tos/agents/copilot-coding-agent/customizing-or-disabling-the-firewall-for-copilot-coding-agent.md index d31c85ef64a3..00ce5a3858c1 100644 --- a/content/copilot/how-tos/agents/copilot-coding-agent/customizing-or-disabling-the-firewall-for-copilot-coding-agent.md +++ b/content/copilot/how-tos/agents/copilot-coding-agent/customizing-or-disabling-the-firewall-for-copilot-coding-agent.md @@ -15,6 +15,8 @@ redirect_from: > {% data reusables.copilot.coding-agent.preview-note-text %} > > For an introduction to {% data variables.copilot.copilot_coding_agent %}, see [AUTOTITLE](/copilot/concepts/about-copilot-coding-agent). +> +> Firewall configuration has moved to the {% data variables.copilot.copilot_coding_agent %} settings page. Previous configurations saved as Actions variables will be maintained on that page. ## Overview @@ -30,30 +32,39 @@ If {% data variables.product.prodname_copilot_short %} tries to make a request w ## Allowlisting additional hosts in the agent's firewall -You can allowlist additional addresses in the agent's firewall by setting the `COPILOT_AGENT_FIREWALL_ALLOW_LIST_ADDITIONS` {% data variables.product.prodname_actions %} variable to a comma-separated list. In that list, you can include: +You can allowlist additional addresses in the agent's firewall. + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +1. In the "Code & automation" section of the sidebar, click **{% data variables.product.prodname_copilot_short %}** then **{% data variables.copilot.copilot_coding_agent_short %}**. +1. Click **Custom allowlist** +1. Add the addresses you want to include in the allow list. You can include: + + * **Domains** (for example, `packages.contoso.corp`). Traffic will be allowed to the specified domain and any subdomains. -* **Domains** (for example, `packages.contoso.corp`), in which case traffic will be allowed to that domain and any subdomains. + **Example**: `packages.contoso.corp` will allow traffic to `packages.contoso.corp` and `prod.packages.contoso.corp`, but not `artifacts.contoso.corp`. - **Example**: `packages.contoso.corp` would allow traffic to `packages.contoso.corp` and `prod.packages.contoso.corp`, but not `artifacts.contoso.corp`. + * **URLs** (for example, `https://packages.contoso.corp/project-1/`). Traffic will only be allowed on the specified scheme (`https`) and host (`packages.contoso.corp`), and limited to the specified path and descendant paths. -* **URLs** (for example, `https://packages.contoso.corp/project-1/`), in which case traffic will only be allowed on the specified scheme (`https`) and host (`packages.contoso.corp`), and limited to the specified path and descendant paths. + **Example**: `https://packages.contoso.corp/project-1/` will allow traffic to `https://packages.contoso.corp/project-1/` and `https://packages.contoso.corp/project-1/tags/latest`, but not `https://packages.consoto.corp/project-2`, `ftp://packages.contoso.corp` or `https://artifacts.contoso.corp`. - **Example**: `https://packages.contoso.corp/project-1/` would allow traffic to `https://packages.contoso.corp/project-1/` and `https://packages.contoso.corp/project-1/tags/latest`, but not `https://packages.consoto.corp/project-2`, `ftp://packages.contoso.corp` or `https://artifacts.contoso.corp`. +1. Click **Add Rule**. +1. After validating your list, click **Save changes**. -## Overwriting the firewall allowlist +## Overwriting the recommended firewall allowlist By default, the firewall allows access to a number of hosts that are commonly used to download dependencies or that {% data variables.product.prodname_copilot_short %} uses to interact with {% data variables.product.github %}. -To completely clear this default allowlist and start again from scratch, set the `COPILOT_AGENT_FIREWALL_ALLOW_LIST` {% data variables.product.prodname_actions %} variable to a comma-separated list of hosts. +To disable this, toggle the **Recommended allowlist** setting **off**. -For example, to _only_ allow access to `packages.contoso.corp` and `artifacts.contoso.corp`, set the `COPILOT_AGENT_FIREWALL_ALLOW_LIST` variable to `packages.contoso.corp,artifacts.contoso.corp`. +To use the recommended allowlist in addition to your own allowlist, keep the **Recommended allowlist** setting **on**, and add your additional addresses in the **Custom allowlist** page. ### Disabling the firewall > [!WARNING] > Disabling the firewall will allow {% data variables.product.prodname_copilot_short %} to connect to any host, increasing risks of exfiltration of code or other sensitive information. -The firewall is enabled by default. To disable the firewall, set the `COPILOT_AGENT_FIREWALL_ENABLED` {% data variables.product.prodname_actions %} variable to `false`. +The firewall is enabled by default. To disable the firewall, toggle the **Enable firewall** setting to **off**. ## Further reading From 5abb8c9904b3b5290b0b995880b96e92d5cfd90f Mon Sep 17 00:00:00 2001 From: mc <42146119+mchammer01@users.noreply.github.com> Date: Wed, 16 Jul 2025 17:10:14 +0100 Subject: [PATCH 2/6] Security Configurations include "Default or Advanced" option for Code Scanning [GA] (#56570) Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Sam Partington Co-authored-by: Kevin Heis Co-authored-by: Felicity Chapman --- ...-custom-security-configuration-for-your-enterprise.md | 6 ++++-- .../creating-a-custom-security-configuration.md | 6 ++++-- ...pository-is-using-advanced-setup-for-code-scanning.md | 9 +++++---- ...default-setup-enabled-with-advanced-setup-allowed.yml | 6 ++++++ .../enable-default-setup-allow-advanced-setup-note.md | 3 +++ 5 files changed, 22 insertions(+), 8 deletions(-) create mode 100644 data/features/default-setup-enabled-with-advanced-setup-allowed.yml create mode 100644 data/reusables/code-scanning/enable-default-setup-allow-advanced-setup-note.md diff --git a/content/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise.md b/content/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise.md index 5d849faa36d8..a1a8c640963d 100644 --- a/content/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise.md +++ b/content/admin/managing-code-security/securing-your-enterprise/creating-a-custom-security-configuration-for-your-enterprise.md @@ -59,7 +59,8 @@ When creating a security configuration, keep in mind that: * **Push protection**. To learn about push protection, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection).{% ifversion security-delegated-alert-dismissal %} * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning).{% endif %} 1. Optionally, enable "{% data variables.product.prodname_code_security %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. You can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_code_scanning %} features: - * **Default setup**. To learn more, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup). {% ifversion code-scanning-default-setup-customize-labels %} + * **Default setup**. To learn more about default setup, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup). + {% data reusables.code-scanning.enable-default-setup-allow-advanced-setup-note %}{% ifversion code-scanning-default-setup-customize-labels %} * **Runner type**. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners).{% endif %} {% ifversion security-delegated-alert-dismissal %} * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning).{% endif %} 1. Still under "{% data variables.product.prodname_code_security %}", in the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features: @@ -97,7 +98,8 @@ When creating a security configuration, keep in mind that: * **Push protection**. To learn about push protection, see [AUTOTITLE](/code-security/secret-scanning/introduction/about-push-protection).{% ifversion security-delegated-alert-dismissal %} * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning).{% endif %} 1. In the "{% data variables.product.prodname_code_scanning_caps %}" table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup. - * **Default setup**. To learn more, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup). {% ifversion code-scanning-default-setup-customize-labels %} + * **Default setup**. To learn more, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup). + {% data reusables.code-scanning.enable-default-setup-allow-advanced-setup-note %}{% ifversion code-scanning-default-setup-customize-labels %} * **Runner type**. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners).{% endif %} {% ifversion security-delegated-alert-dismissal %} * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning).{% endif %} 1. In the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features: diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration.md index 4b6c36d4c9a3..7579165d9a20 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration.md @@ -60,7 +60,8 @@ You can also choose whether or not you want to include {% data variables.product * **Bypass privileges**. By assigning bypass privileges, selected organization members can bypass push protection, and there is a review and approval process for all other contributors. See [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection).{% endif %}{% ifversion security-delegated-alert-dismissal %} * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning).{% endif %} 1. Optionally, enable "{% data variables.product.prodname_code_security %}", a paid feature for private {% ifversion ghec %}and internal {% endif %} repositories. You can choose whether to enable, disable, or keep the existing settings for the following {% data variables.product.prodname_code_scanning %} features: - * **Default setup**. To learn more, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup). {% ifversion code-scanning-default-setup-customize-labels %} + * **Default setup**. To learn more about default setup, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup). + {% data reusables.code-scanning.enable-default-setup-allow-advanced-setup-note %}{% ifversion code-scanning-default-setup-customize-labels %} * **Runner type**. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners).{% endif %} {% ifversion security-delegated-alert-dismissal %} * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning).{% endif %} 1. Still under "{% data variables.product.prodname_code_security %}", in the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features: @@ -99,7 +100,8 @@ You can also choose whether or not you want to include {% data variables.product * **Bypass privileges**. By assigning bypass privileges, selected organization members can bypass push protection, and there is a review and approval process for all other contributors. See [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/delegated-bypass-for-push-protection/about-delegated-bypass-for-push-protection).{% endif %}{% ifversion security-delegated-alert-dismissal %} * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/secret-scanning/using-advanced-secret-scanning-and-push-protection-features/enabling-delegated-alert-dismissal-for-secret-scanning).{% endif %} 1. In the "{% data variables.product.prodname_code_scanning_caps %}" table, choose whether you want to enable, disable, or keep the existing settings for {% data variables.product.prodname_code_scanning %} default setup. - * **Default setup**. To learn more, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup). {% ifversion code-scanning-default-setup-customize-labels %} + * **Default setup**. To learn more about default setup, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#about-default-setup). + {% data reusables.code-scanning.enable-default-setup-allow-advanced-setup-note %}{% ifversion code-scanning-default-setup-customize-labels %} * **Runner type**. If you want to target specific runners for {% data variables.product.prodname_code_scanning %}, you can choose to use custom-labeled runners at this step. See [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#assigning-labels-to-runners).{% endif %} {% ifversion security-delegated-alert-dismissal %} * **Prevent direct alert dismissals**. To learn more, see [AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/enabling-delegated-alert-dismissal-for-code-scanning).{% endif %} 1. In the "Dependency scanning" table, choose whether you want to enable, disable, or keep the existing settings for the following dependency scanning features: diff --git a/content/code-security/securing-your-organization/troubleshooting-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md b/content/code-security/securing-your-organization/troubleshooting-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md index 25bbf26675e8..e13f13f0b2c1 100644 --- a/content/code-security/securing-your-organization/troubleshooting-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md +++ b/content/code-security/securing-your-organization/troubleshooting-security-configurations/a-repository-is-using-advanced-setup-for-code-scanning.md @@ -1,7 +1,7 @@ --- title: A repository is using advanced setup for code scanning shortTitle: Active advanced setup -intro: 'You cannot attach a {% data variables.product.prodname_security_configuration %} with code scanning enabled to repositories that are using advanced setup for code scanning.' +intro: 'You see an error when you try to attach a {% data variables.product.prodname_security_configuration %} with default code scanning enabled to repositories that use advanced setup for code scanning.' permissions: '{% data reusables.permissions.security-org-enable %}' versions: feature: security-configurations @@ -15,9 +15,9 @@ topics: ## About the problem -You cannot successfully apply a {% data variables.product.prodname_security_configuration %} with {% data variables.product.prodname_code_scanning %} default setup enabled to a target repository that uses advanced setup for {% data variables.product.prodname_code_scanning %}. Advanced setups are tailored to the specific security needs of their repositories, so they are not intended to be overridden at scale. +You cannot successfully apply a {% data variables.product.prodname_security_configuration %} with {% data variables.product.prodname_code_scanning %} default setup set to "Enabled" to a target repository that uses advanced setup for {% data variables.product.prodname_code_scanning %}. Advanced setups are tailored to the specific security needs of their repositories, so they are not intended to be overridden at scale. -If you try to attach a {% data variables.product.prodname_security_configuration %} with {% data variables.product.prodname_code_scanning %} enabled to a repository already using advanced setup, security settings will be applied as follows: +If you try to attach a {% data variables.product.prodname_security_configuration %} with {% data variables.product.prodname_code_scanning %} set to "Enabled" to a repository that already uses advanced setup, security settings will be applied as follows: * **{% data variables.product.prodname_code_scanning_caps %} default setup will not be enabled**, and advanced setup will continue to run as normal. * **All other security features enabled in the configuration will be enabled.** @@ -33,7 +33,8 @@ For all repositories without an active advanced setup, the {% data variables.pro ## Solving the problem -There are two ways you can solve this problem: +There are three ways you could solve this problem: +1. **Change the Default setup option from "Enabled" to "Enabled with advanced setup allowed"** in the {% data variables.product.prodname_security_configuration %}. _Option available from {% data variables.product.prodname_ghe_server %} 3.19._ After editing your {% data variables.product.prodname_security_configuration %}, reapply it to the repositories. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/applying-a-custom-security-configuration). 1. **Update the affected repositories to use default setup** for {% data variables.product.prodname_code_scanning %} at the repository level and then reapply your {% data variables.product.prodname_security_configuration %} to the repositories. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning). 1. **Create a new custom {% data variables.product.prodname_security_configuration %}** that does not include a setting for {% data variables.product.prodname_code_scanning %} and apply this {% data variables.product.prodname_security_configuration %} to repositories that use advanced setup. For more information, see [AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/creating-a-custom-security-configuration). diff --git a/data/features/default-setup-enabled-with-advanced-setup-allowed.yml b/data/features/default-setup-enabled-with-advanced-setup-allowed.yml new file mode 100644 index 000000000000..1fe9406d7c76 --- /dev/null +++ b/data/features/default-setup-enabled-with-advanced-setup-allowed.yml @@ -0,0 +1,6 @@ +# References: +# Issue #16873 - Security Configurations include "Default or Advanced" option for Code Scanning [GA] +versions: + fpt: '*' + ghec: '*' + ghes: '>3.18' diff --git a/data/reusables/code-scanning/enable-default-setup-allow-advanced-setup-note.md b/data/reusables/code-scanning/enable-default-setup-allow-advanced-setup-note.md new file mode 100644 index 000000000000..a38a139593d8 --- /dev/null +++ b/data/reusables/code-scanning/enable-default-setup-allow-advanced-setup-note.md @@ -0,0 +1,3 @@ +> [!NOTE] +> To create a configuration that you can apply to a repository that uses advanced setup for {% data variables.product.prodname_codeql %}, choose "Enabled with advanced setup allowed". This setting enables default setup in repositories where advanced setup for {% data variables.product.prodname_codeql %} is not detected. +> _Option available from {% data variables.product.prodname_ghe_server %} 3.19._ From de78336bf9b8c29d1a04972b28298e0a5706edb6 Mon Sep 17 00:00:00 2001 From: hubwriter Date: Wed, 16 Jul 2025 17:23:42 +0100 Subject: [PATCH 3/6] "Copilot creates issues" now supports issue forms [Public Preview] (#56616) Co-authored-by: Annie Gesellchen Co-authored-by: Kevin Heis Co-authored-by: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com> --- .../using-github-copilot-to-create-issues.md | 42 ++++++++++++------- 1 file changed, 28 insertions(+), 14 deletions(-) diff --git a/content/copilot/how-tos/github-flow/using-github-copilot-to-create-issues.md b/content/copilot/how-tos/github-flow/using-github-copilot-to-create-issues.md index 97cc76eb7b1e..8a6ed4de4038 100644 --- a/content/copilot/how-tos/github-flow/using-github-copilot-to-create-issues.md +++ b/content/copilot/how-tos/github-flow/using-github-copilot-to-create-issues.md @@ -15,52 +15,62 @@ redirect_from: > [!NOTE] > This feature is in {% data variables.release-phases.public_preview %} and subject to change. -Creating issues manually can be repetitive and time-consuming. With {% data variables.product.prodname_copilot_short %}, you can create issues faster by prompting in natural language, or even by uploading a screenshot. {% data variables.product.prodname_copilot_short %} fills out the title, body, labels, assignees, and more, using your repository’s templates and structure. +Creating issues manually can be repetitive and time-consuming. With {% data variables.product.prodname_copilot_short %}, you can create issues faster by prompting in natural language, or even by uploading a screenshot. {% data variables.product.prodname_copilot_short %} fills out the title, body, labels, assignees, and more, using your repository’s issue forms or templates. -You stay in control: review and refine what {% data variables.product.prodname_copilot_short %} suggests, or make changes directly in the issue form. +You stay in control of the process. You can review and refine what {% data variables.product.prodname_copilot_short %} suggests before you submit the new issue. ## Creating an issue with {% data variables.product.prodname_copilot_short %} You can create issues from {% data variables.copilot.copilot_chat_short %}'s immersive view. 1. Go to the immersive view of {% data variables.copilot.copilot_chat_short %} ([https://github.com/copilot](https://github.com/copilot)). -1. At the bottom of the page, in the "Ask {% data variables.product.prodname_copilot_short %}" box, describe what you want to file. Specify the repository you would like to create your issue in using the org/repository format. If you do not specify a repository, {% data variables.product.prodname_copilot_short %} will infer the repository based on the repository you last created an issue in. You can try: +1. In the prompt box, describe the issue you want to create. - * "Create a feature request to add fuzzy matching to search." - * "Log a bug for a 500 error when submitting the login form." - * "Create a task and add a label for ‘needs design review’." + If you contribute issues to multiple repositories, use the `organization/repository` format to specify the target repository for this issue. If you don't specify a repository, {% data variables.product.prodname_copilot_short %} will infer the repository based on the repository you last created an issue in. + + For example: + + * `In octo-org/octo-repo, create a feature request to add fuzzy matching to search.` + * `Log a bug for a 500 error. This happens consistently when I try to log into the site.` + * `Create a task to change the application logo background to red and add the label "needs design review".` > [!NOTE] You can only use {% data variables.product.prodname_copilot_short %} to create issues in repositories where you already have permission to create issues. This feature doesn't change your access or bypass repository permissions. -1. Or, you can use one of the following methods to include an image in your prompt: +1. Alternatively, you can use one of the following methods to include an image in your prompt: * Copy an image and paste it into the prompt box at the bottom of the page. * Click {% octicon "paperclip" aria-label="Add attachment" %} in the prompt box, then click **Image**. Browse to the image file you want to attach, select it and click **Open**. * Drag and drop an image file from your operating system's file explorer into the prompt box. - After you paste or upload the image, you can add text to your prompt, for example: "Create an issue because this error appears when trying to reset a password." + After you paste or upload the image, you can add text to your prompt, for example: `Create an issue because this error appears when trying to reset a password.` -1. {% data variables.product.prodname_copilot_short %} will draft an issue that includes: +1. {% data variables.product.prodname_copilot_short %} drafts an issue that includes: * A suggested title. - * A formatted body (based on your repository’s template) + * Details of the required changes. + + If your repository has issue forms or templates, {% data variables.product.prodname_copilot_short %} will choose an appropriate form or template based on your prompt. If there are no forms or templates, {% data variables.product.prodname_copilot_short %} will create a basic issue body for the details of the issue. - Based on your prompt, {% data variables.product.prodname_copilot_short %} will also suggest metadata such as labels, assignee, and issue type. + If {% data variables.product.prodname_copilot_short %} uses an issue form, it will break up the information in your prompt into the relevant fields of the form, without losing any data. {% data variables.product.prodname_copilot_short %} will ask you to provide additional context if there are fields it does not have enough information to fill out. + + Based on your prompt, {% data variables.product.prodname_copilot_short %} can also suggest metadata such as labels, assignees, and issue type. 1. Review the draft. You can: * Edit any part of the issue manually. + * Choose a different issue form or template without losing your input. {% data variables.product.prodname_copilot_short %} reformats the content according to the form or template you choose. * Ask {% data variables.product.prodname_copilot_short %} to make changes with a follow-up prompt. - * Switch templates without losing your input. 1. Once the issue looks good, click **Create**. -{% data variables.product.prodname_copilot_short %} tailors its suggestions based on the repository where you're creating the issue. It selects the most relevant template for your prompt and applies associated metadata, like labels or issue type. If you choose a different template, {% data variables.product.prodname_copilot_short %} automatically reformats the content to match the new structure. - ## Creating multiple issues at once If your prompt includes multiple tasks or bugs, {% data variables.product.prodname_copilot_short %} can draft more than one issue at a time. +For example: + +`In octo-org/octo-repo, create 3 issues: 1) DETAILS OF ONE TASK, 2) DETAILS OF ANOTHER TASK, 3) DETAILS OF A THIRD TASK` + Each draft appears separately, and you can review and edit them individually. To publish the issues, click **Create** on each one you want to submit. ## Assigning issues to {% data variables.product.prodname_copilot_short %} @@ -73,3 +83,7 @@ You can assign the issue during creation in one of two ways: * **Manually:** Select "{% data variables.product.prodname_copilot_short %}" from the assignee list. Once the issue is assigned and created, {% data variables.product.prodname_copilot_short %} will start working on it automatically. You’ll see a 👀 emoji reaction on the issue to indicate that {% data variables.product.prodname_copilot_short %} is working on it. + +## Further reading + +* [AUTOTITLE](/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository) From 66f68167300d740479bbb3a73dcc44960fc9ab9c Mon Sep 17 00:00:00 2001 From: docs-bot <77750099+docs-bot@users.noreply.github.com> Date: Wed, 16 Jul 2025 09:49:42 -0700 Subject: [PATCH 4/6] Update audit log event data (#56667) Co-authored-by: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com> --- src/audit-logs/data/fpt/organization.json | 14272 +++++++++---- src/audit-logs/data/fpt/user.json | 7534 ++++--- src/audit-logs/data/ghec/enterprise.json | 16867 ++++++++++++---- src/audit-logs/data/ghec/organization.json | 14272 +++++++++---- src/audit-logs/data/ghec/user.json | 7534 ++++--- src/audit-logs/data/ghes-3.14/enterprise.json | 12873 +++++++++++- .../data/ghes-3.14/organization.json | 11989 ++++++++++- src/audit-logs/data/ghes-3.14/user.json | 6498 +++++- src/audit-logs/data/ghes-3.15/enterprise.json | 13048 +++++++++++- .../data/ghes-3.15/organization.json | 12485 +++++++++++- src/audit-logs/data/ghes-3.15/user.json | 6673 +++++- src/audit-logs/data/ghes-3.16/enterprise.json | 13657 ++++++++++++- .../data/ghes-3.16/organization.json | 12864 +++++++++++- src/audit-logs/data/ghes-3.16/user.json | 6806 ++++++- src/audit-logs/data/ghes-3.17/enterprise.json | 14017 ++++++++++++- .../data/ghes-3.17/organization.json | 13195 +++++++++++- src/audit-logs/data/ghes-3.17/user.json | 6860 ++++++- src/audit-logs/data/ghes-3.18/enterprise.json | 14108 ++++++++++++- .../data/ghes-3.18/organization.json | 13452 +++++++++++- src/audit-logs/data/ghes-3.18/user.json | 6883 ++++++- src/audit-logs/lib/config.json | 2 +- 21 files changed, 205023 insertions(+), 20866 deletions(-) diff --git a/src/audit-logs/data/fpt/organization.json b/src/audit-logs/data/fpt/organization.json index ad90f40a07aa..6c79c0bd521d 100644 --- a/src/audit-logs/data/fpt/organization.json +++ b/src/audit-logs/data/fpt/organization.json @@ -4,25 +4,37 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "org", "@timestamp", + "operation_type", + "user_agent", "_document_id", + "created_at", "action", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id" ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { @@ -30,25 +42,52 @@ "description": "A GitHub Actions cache was deleted using the REST API.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "oauth_application_id", + "user_id", "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "advisory_credit.accept", "description": "Credit was accepted for a security advisory.", "docs_reference_links": "/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory" }, { @@ -56,19 +95,21 @@ "description": "Someone was added to the credit section of a security advisory.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "ghsa_id", "repo", - "user", - "created_at", + "repo_id", + "recipient", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -76,19 +117,22 @@ "description": "Credit was declined for a security advisory.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "ghsa_id", "repo", - "user", - "created_at", + "repo_id", + "recipient", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "public_repo" ] }, { @@ -96,19 +140,22 @@ "description": "Someone was removed from the credit section of a security advisory.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "ghsa_id", "repo", - "user", - "created_at", + "repo_id", + "recipient", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "public_repo" ] }, { @@ -116,43 +163,101 @@ "description": "A workflow run artifact was manually deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", "actor", + "user_agent", "actor_id", - "business", - "org", "repo", - "user", + "repo_id", + "request_id", + "@timestamp", "created_at", + "_document_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "programmatic_access_type" ] }, { "action": "auto_approve_personal_access_token_requests.disable", "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources. See also: personal_access_token.auto_approve_grant_requests_disabled", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization" }, { "action": "auto_approve_personal_access_token_requests.enable", "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval. See also: personal_access_token.auto_approve_grant_requests_enabled", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization" }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { @@ -160,19 +265,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "oauth_application_id", "@timestamp", + "actor_id", + "operation_type", "_document_id", - "action", + "request_id", "actor", - "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "user_agent", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action" ] }, { @@ -180,31 +284,63 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" ] }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { @@ -213,78 +349,210 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" ] }, { "action": "code_scanning.alert_appeared_in_branch", "description": "Existing code scanning alerts appeared in a branch.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_became_fixed", "description": "Code scanning alerts were fixed.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_became_outdated", "description": "Code scanning alerts were closed as outdated (all configurations they were detected in were deleted).", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_numbers", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_by_user", "description": "Code scanning alerts were manually dismissed.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "actor_id", + "request_id", + "actor", + "org_id", + "org", + "business_id", + "business", + "alert_numbers", + "dismissal_approver_id" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_approved", "description": "Dismissal of code scanning alerts was approved.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_denied", "description": "Dismissal of code scanning alerts was denied.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_requested", "description": "Dismissal of code scanning alerts was requested.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_created", "description": "Code scanning alerts were seen for the first time.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_reappeared", "description": "Code scanning alerts that were previously fixed reappeared.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_reopened_by_user", "description": "Code scanning alerts that were previously dismissed were reopened.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "actor_id", + "request_id", + "actor", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { @@ -292,19 +560,16 @@ "description": "A codespace using custom permissions from its devcontainer.json file was launched.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "origin_repository", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -312,25 +577,49 @@ "description": "An attempt to create a codespace from a prebuild was made.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "owner", + "pull_request_id", + "repository", + "repository_id", + "user_id", "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", + "public_repo", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "codespaces.business_enablement_updated", "description": "Enterprise setting for Codespaces ownership was updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enablement", + "organization_names", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization" }, { @@ -338,31 +627,79 @@ "description": "Credentials for a codespace were refreshed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "machine_type", + "devcontainer_path" ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { @@ -370,19 +707,18 @@ "description": "A codespace was exported to a branch on GitHub.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "public_repo" ] }, { @@ -390,19 +726,17 @@ "description": "Policies were applied to codespaces in an organization or enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -410,19 +744,20 @@ "description": "Policies were removed from codespaces in an organization or enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -430,19 +765,19 @@ "description": "Policies were updated for codespaces in an organization or enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -450,19 +785,19 @@ "description": "A codespace was restored.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "owner", "repo", - "user", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -470,19 +805,27 @@ "description": "A codespace was started.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "name", "org", - "repo", + "owner", + "pull_request_id", + "machine_type", + "user_id", "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -490,25 +833,39 @@ "description": "A codespace was stopped.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "owner", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { @@ -516,19 +873,20 @@ "description": "A commit comment was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", "repo", - "user", + "org", + "org_id", "created_at", + "@timestamp", "operation_type", - "programmatic_access_type", - "token_scopes" + "repo_id", + "actor_id", + "request_id", + "_document_id", + "user_agent", + "action", + "programmatic_access_type" ] }, { @@ -536,19 +894,21 @@ "description": "A commit comment was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", - "action", + "repo_id", "actor", - "actor_id", - "business", "org", + "request_id", + "action", + "@timestamp", "repo", - "user", + "org_id", + "actor_id", "created_at", + "user_agent", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "programmatic_access_type" ] }, { @@ -556,19 +916,21 @@ "description": "Copilot access was revoked for the organization or enterprise due to its Copilot subscription ending, an issue with billing the entity, the entity being marked spammy, or the entity being suspended.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "reason", + "plan", + "org_id", + "owner", "org", - "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -576,19 +938,15 @@ "description": "Copilot feature settings were changed at the organization level.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -596,25 +954,41 @@ "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { @@ -622,19 +996,24 @@ "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", + "token_id", + "token_scopes", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -642,19 +1021,17 @@ "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -662,19 +1039,20 @@ "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -682,19 +1060,19 @@ "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "seat_assignment", + "request_access_security_header" ] }, { @@ -702,19 +1080,21 @@ "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "user_id", "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -722,19 +1102,21 @@ "description": "The seat management setting was changed at the organization level to either enable or disable Copilot access for all members of the organization, or to enable Copilot access for selected members or teams.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "old_value", + "new_value", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -742,19 +1124,21 @@ "description": "The excluded paths for GitHub Copilot were updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "excluded_paths", + "owner_type", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -762,19 +1146,17 @@ "description": "Copilot custom instructions were created for the organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "request_access_security_header", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "custom_instructions" ] }, { @@ -782,43 +1164,111 @@ "description": "Copilot custom instructions were updated for the organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "request_access_security_header", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "custom_instructions" ] }, { "action": "copilot.knowledge_base_created", "description": "A knowledge base was created in the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.knowledge_base_deleted", "description": "A knowledge base was deleted from the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.knowledge_base_updated", "description": "A knowledge base was updated in the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.plan_changed", "description": "The plan for GitHub Copilot was updated.", "docs_reference_links": "/billing/managing-billing-for-github-copilot/about-billing-for-github-copilot", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_plan", + "plan", + "business_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "About billing for GitHub Copilot" }, { @@ -826,19 +1276,23 @@ "description": "The plan for GitHub Copilot was scheduled to be downgraded.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "org_id", + "owner", "org", - "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "current_plan", + "scheduled_plan" ] }, { @@ -846,19 +1300,22 @@ "description": "Specific repositories were disabled from using Copilot coding agent.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "org_id", + "owner_type", "actor_id", - "business", - "org", + "owner", "repo", - "user", + "repo_id", + "public_repo", + "org", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -866,19 +1323,23 @@ "description": "Specific repositories were enabled to use Copilot coding agent.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "request_access_security_header", + "org_id", + "owner_type", + "owner", "repo", - "user", + "repo_id", + "public_repo", + "org", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -886,19 +1347,22 @@ "description": "Copilot coding agent access was updated for the organization's or user's repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", + "new_access", + "old_access", + "org_id", + "owner_type", + "owner", "org", - "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -906,19 +1370,23 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "runner_group_id", "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -926,19 +1394,21 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -946,79 +1416,257 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "runner_group_id", "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "custom_property_definition.create", "description": "A new custom property definition was created.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.destroy", "description": "A custom property definition was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id", + "allowed_values" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.update", "description": "A custom property definition was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", - "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" - }, - { - "action": "custom_property_value.create", - "description": "A repository's custom property value was manually set for the first time.", - "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "value_type", + "required", + "default_value", + "old_allowed_values", + "allowed_values", + "definition_id", + "old_required", + "old_default_value", + "old_value_type", + "old_values_editable_by", + "values_editable_by", + "request_access_security_header" + ], + "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" + }, + { + "action": "custom_property_value.create", + "description": "A repository's custom property value was manually set for the first time.", + "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "definition_id", + "property_name", + "value", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.destroy", "description": "A repository's custom property value was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.update", "description": "A repository's custom property value was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { @@ -1026,19 +1674,22 @@ "description": "The default repository access for Dependabot was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", "org", - "repo", - "user", + "org_id", + "access_level", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { @@ -1046,25 +1697,38 @@ "description": "The repositories that Dependabot can access were updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -1072,25 +1736,40 @@ "description": "Dependabot security updates were enabled for all existing repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -1098,25 +1777,40 @@ "description": "Dependabot security updates were enabled for all new repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -1124,25 +1818,40 @@ "description": "The dependency graph was enabled for all existing repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -1150,19 +1859,20 @@ "description": "The dependency graph was enabled for all new repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "request_access_security_header" ] }, { @@ -1170,19 +1880,21 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "repo", + "org", + "repo_id", + "request_id", "action", "actor", + "org_id", + "_document_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", + "@timestamp", + "created_at", + "user_agent", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -1190,19 +1902,20 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "repo_id", "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", - "created_at", + "_document_id", + "actor_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "repo", + "org_id", + "action", + "request_access_security_header" ] }, { @@ -1210,79 +1923,237 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "repo_id", + "user_agent", "actor_id", - "business", + "org_id", + "actor", "org", - "repo", - "user", - "created_at", + "action", "operation_type", + "@timestamp", + "request_id", + "title", + "_document_id", + "created_at", + "repo", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "discussion_post.destroy", "description": "Triggered when a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "request_id", + "team", + "created_at", + "user_id", + "@timestamp", + "number", + "org", + "title", + "actor", + "actor_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.destroy", "description": "Triggered when a reply to a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "actor_id", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user_id", + "actor", + "number", + "user", + "created_at", + "request_id", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.update", "description": "Triggered when a reply to a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", - "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" - }, - { - "action": "discussion_post.update", + "fields": [ + "action", + "_document_id", + "request_id", + "org", + "@timestamp", + "actor_id", + "operation_type", + "user", + "user_id", + "org_id", + "user_agent", + "actor", + "number", + "team", + "created_at" + ], + "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" + }, + { + "action": "discussion_post.update", "description": "Triggered when a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "created_at", + "_document_id", + "title", + "user", + "user_agent", + "org", + "operation_type", + "actor_id", + "@timestamp", + "actor", + "team", + "action", + "org_id", + "request_id", + "user_id", + "number" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "enterprise_announcement.create", "description": "A global announcement banner was created for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global-announcement-banner", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.destroy", "description": "A global announcement banner was removed from the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.update", "description": "A global announcement banner was updated for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "old_message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_installation.create", "description": "The GitHub App associated with a GitHub Connect connection was created.", "docs_reference_links": "/admin/configuration/configuring-github-connect/managing-github-connect", + "fields": [ + "created_at", + "operation_type", + "@timestamp", + "_document_id", + "org_id", + "action", + "request_id", + "org", + "actor_id", + "user_agent", + "actor" + ], "docs_reference_titles": "Enabling GitHub Connect for GitHub.com" }, { "action": "enterprise_installation.destroy", "description": "The GitHub App associated with a GitHub Connect connection was deleted.", "docs_reference_links": "/admin/configuration/configuring-github-connect/managing-github-connect", + "fields": [ + "created_at", + "_document_id", + "action", + "@timestamp", + "actor_id", + "actor", + "user_agent", + "org", + "operation_type", + "request_id", + "org_id" + ], "docs_reference_titles": "Enabling GitHub Connect for GitHub.com" }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { @@ -1290,73 +2161,259 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "environment_name", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.delete", "description": "An environment was deleted.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_secret", "description": "A secret was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { @@ -1364,36 +2421,20 @@ "description": "A repository was cloned.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", "actor", "actor_id", - "business", "org", - "repo", + "org_id", + "business", + "business_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "user_id", + "transport_protocol_name" ] }, { @@ -1401,73 +2442,42 @@ "description": "Changes were fetched from a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", "actor", "actor_id", + "org", + "org_id", "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] + }, + { + "action": "git.push", + "description": "Changes were pushed to a repository.", + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", "org", - "repo", + "org_id", + "business", + "business_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" - ] - }, - { - "action": "git.push", - "description": "Changes were pushed to a repository.", - "docs_reference_links": "N/A", - "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "user_id", + "transport_protocol_name" ] }, { @@ -1475,19 +2485,23 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -1495,19 +2509,21 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -1515,19 +2531,22 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -1535,19 +2554,25 @@ "description": "A hook's active status was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "programmatic_access_type" ] }, { @@ -1555,25 +2580,53 @@ "description": "A hook's configuration was changed.", "docs_reference_links": "N/A", "fields": [ + "actor_id", + "operation_type", "@timestamp", "_document_id", - "action", "actor", - "actor_id", - "business", + "name", "org", + "user_agent", + "request_id", + "hook_id", "repo", - "user", + "repo_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { @@ -1581,19 +2634,25 @@ "description": "A hook was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "events", "repo", - "user", "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" ] }, { @@ -1601,19 +2660,26 @@ "description": "A hook's configured events were changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "events", "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" ] }, { @@ -1621,19 +2687,22 @@ "description": "A GitHub App was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user", "action", + "operation_type", + "@timestamp", "actor", + "user_agent", "actor_id", - "business", - "org", - "repo", - "user", + "request_id", + "name", + "user_id", + "_document_id", + "integration", "created_at", - "operation_type", "programmatic_access_type", - "token_scopes" + "request_access_security_header", + "application_client_id" ] }, { @@ -1641,19 +2710,19 @@ "description": "A GitHub App was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "user_id", "actor_id", - "business", - "org", - "repo", + "request_id", + "@timestamp", + "name", + "integration", "user", - "created_at", + "_document_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "user_agent" ] }, { @@ -1661,85 +2730,282 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", + "name", + "integration", "business", - "org", - "repo", - "user", - "created_at", + "business_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header", + "application_client_id" ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation_request.close", "description": "A request to install a GitHub App was either approved or denied by an owner, or canceled by the member who opened the request.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "url", + "actor", + "actor_id", + "created_at", + "request_id", + "operation_type", + "@timestamp", + "integration", + "action", + "user_agent", + "reason", + "_document_id", + "org", + "org_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation_request.create", "description": "A member requested that an owner install a GitHub App.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "@timestamp", + "actor_id", + "org", + "_document_id", + "requester", + "action", + "user_agent", + "created_at", + "url", + "org_id", + "request_id", + "operation_type", + "actor", + "integration", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { @@ -1747,19 +3013,20 @@ "description": "A client secret for a GitHub App was removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "integration", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" ] }, { @@ -1767,19 +3034,20 @@ "description": "All user tokens for a GitHub App were requested to be revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "integration", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "application_client_id" ] }, { @@ -1787,37 +3055,93 @@ "description": "Token(s) for a GitHub App were revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "integration", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "application_client_id" ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" }, { "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { @@ -1825,19 +3149,19 @@ "description": "An IP allow list was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "operation_type", "actor", - "actor_id", - "business", + "request_id", "org", - "repo", - "user", + "user_agent", + "_document_id", + "user_id", + "actor_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id", + "action", + "@timestamp", + "user" ] }, { @@ -1845,19 +3169,19 @@ "description": "An IP allow list was disabled for installed GitHub Apps.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "business", + "business_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { @@ -1865,19 +3189,21 @@ "description": "An IP allow list was enabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "org_id", + "business", + "user_id", + "request_id", + "actor", + "user", + "business_id", "_document_id", "action", - "actor", + "@timestamp", + "user_agent", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "created_at" ] }, { @@ -1885,19 +3211,19 @@ "description": "An IP allow list was enabled for installed GitHub Apps.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "business", + "business_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { @@ -1905,19 +3231,24 @@ "description": "An IP address was added to an IP allow list.", "docs_reference_links": "N/A", "fields": [ + "active", + "org", + "ip_allow_list_entry", "@timestamp", "_document_id", + "operation_type", + "created_at", + "user_agent", "action", - "actor", + "request_id", "actor_id", + "business_id", + "org_id", "business", - "org", - "repo", - "user", - "created_at", - "operation_type", + "actor", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -1925,19 +3256,24 @@ "description": "An IP address was deleted from an IP allow list.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", + "request_id", + "ip_allow_list_entry", + "org", + "operation_type", + "created_at", + "active", "action", + "@timestamp", + "business", + "business_id", + "user_agent", + "org_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -1945,19 +3281,19 @@ "description": "An IP address or its description was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "request_id", "_document_id", - "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "user_agent", + "actor_id", + "ip_allow_list_entry", + "active", + "org_id", + "@timestamp" ] }, { @@ -1965,19 +3301,22 @@ "description": "A comment on an issue was deleted from the repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", + "org_id", "org", "repo", - "user", + "actor_id", + "@timestamp", "created_at", + "_document_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "repo_id", + "actor", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" ] }, { @@ -1985,37 +3324,94 @@ "description": "A comment on an issue (other than the initial one) changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", "repo", - "user", + "org", + "action", + "repo_id", + "org_id", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "user_agent", + "request_id", + "_document_id", + "actor_id", + "actor", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" ] }, { "action": "issue.destroy", "description": "An issue was deleted from the repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/deleting-an-issue", - "docs_reference_titles": "Deleting an issue" - }, + "fields": [ + "user", + "actor_id", + "created_at", + "title", + "@timestamp", + "_document_id", + "request_id", + "actor", + "user_id", + "action", + "operation_type", + "user_agent", + "repo", + "token_scopes", + "programmatic_access_type" + ], + "docs_reference_titles": "Deleting an issue" + }, { "action": "issue.pinned", "description": "An issue was pinned to a repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository", + "fields": [ + "_document_id", + "user_agent", + "actor_id", + "created_at", + "action", + "actor", + "operation_type", + "owner_type", + "@timestamp", + "repo_id", + "request_id", + "number", + "repo", + "event", + "user", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "Pinning an issue to your repository" }, { "action": "issue.transfer", "description": "An issue was transferred to another repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/transferring-an-issue-to-another-repository", + "fields": [ + "user", + "user_id", + "@timestamp", + "user_agent", + "owner_type", + "actor_id", + "number", + "repo", + "operation_type", + "_document_id", + "repo_id", + "action", + "request_id", + "created_at", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "Transferring an issue to another repository" }, { @@ -2023,19 +3419,23 @@ "description": "An issue type was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", + "issue_type_name", + "description", + "color", + "enabled", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -2043,19 +3443,23 @@ "description": "An issue type was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", + "issue_type_name", + "description", + "color", + "enabled", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -2063,43 +3467,116 @@ "description": "An issue type was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", + "issue_type_name", + "description", + "color", + "enabled", + "old_issue_type_name", + "old_description", + "old_color", + "old_enabled", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "issue.unpinned", "description": "An issue was unpinned from a repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository", + "fields": [ + "event", + "user_agent", + "actor_id", + "repo_id", + "actor", + "action", + "created_at", + "request_id", + "repo", + "operation_type", + "_document_id", + "number", + "owner_type", + "@timestamp", + "user", + "user_id", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Pinning an issue to your repository" }, { "action": "issues.deletes_disabled", "description": "The ability for enterprise members to delete issues was disabled Members cannot delete issues in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "user_agent", + "action", + "@timestamp", + "operation_type", + "request_id", + "actor_id", + "user_id", + "created_at", + "_document_id", + "actor", + "user", + "org", + "org_id" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "issues.deletes_enabled", "description": "The ability for enterprise members to delete issues was enabled Members can delete issues in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "operation_type" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "issues.deletes_policy_cleared", "description": "An enterprise owner cleared the policy setting for allowing members to delete issues in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "user", + "request_id", + "actor", + "business_id", + "action", + "operation_type", + "user_agent", + "created_at", + "@timestamp", + "_document_id", + "business", + "user_id", + "actor_id" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { @@ -2107,19 +3584,18 @@ "description": "The GitHub Marketplace Developer Agreement was signed.", "docs_reference_links": "N/A", "fields": [ + "request_id", + "actor", + "actor_id", "@timestamp", "_document_id", + "user_agent", + "operation_type", + "created_at", "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "request_access_security_header" ] }, { @@ -2127,19 +3603,21 @@ "description": "A listing was approved for inclusion in GitHub Marketplace.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "secondary_category", "actor", - "actor_id", - "business", - "org", - "repo", + "primary_category", "user", - "created_at", + "@timestamp", + "_document_id", + "user_id", + "user_agent", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" ] }, { @@ -2147,19 +3625,21 @@ "description": "A category for a listing for an app in GitHub Marketplace was changed.", "docs_reference_links": "N/A", "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", "@timestamp", - "_document_id", + "integration", + "org_id", "action", - "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "secondary_category", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "actor_id", + "_document_id" ] }, { @@ -2167,19 +3647,22 @@ "description": "A listing for an app in GitHub Marketplace was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "primary_category", "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp" ] }, { @@ -2187,19 +3670,21 @@ "description": "A listing was removed from GitHub Marketplace.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "org", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "org_id", "created_at", + "secondary_category", "operation_type", - "programmatic_access_type", - "token_scopes" + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" ] }, { @@ -2207,19 +3692,22 @@ "description": "A listing was sent back to draft state.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" ] }, { @@ -2227,73 +3715,225 @@ "description": "A listing was not accepted for inclusion in GitHub Marketplace.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "members_can_create_pages.disable", "description": "The ability for members to publish GitHub Pages sites was disabled.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_pages.enable", "description": "The ability for members to publish GitHub Pages sites was enabled.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_private_pages.disable", "description": "The ability for members to publish private GitHub Pages was disabled Members cannot publish private GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_private_pages.enable", "description": "The ability for members to publish private GitHub Pages was enabled Members can publish private GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_public_pages.disable", "description": "The ability for members to publish public GitHub Pages was disabled Members cannot publish public GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_public_pages.enable", "description": "The ability for members to publish public GitHub Pages was enabled Members can publish public GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", - "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" - }, - { - "action": "members_can_delete_repos.clear", - "description": "An enterprise owner cleared the policy setting for deleting or transferring repositories in any organizations in an enterprise.", - "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", - "docs_reference_titles": "Enforcing repository management policies in your enterprise" - }, + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], + "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" + }, + { + "action": "members_can_delete_repos.clear", + "description": "An enterprise owner cleared the policy setting for deleting or transferring repositories in any organizations in an enterprise.", + "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "_document_id", + "request_id", + "user", + "user_id", + "business", + "operation_type", + "user_agent", + "actor", + "actor_id", + "business_id", + "@timestamp", + "created_at", + "action" + ], + "docs_reference_titles": "Enforcing repository management policies in your enterprise" + }, { "action": "members_can_delete_repos.disable", "description": "The ability for enterprise members to delete repositories was disabled Members cannot delete or transfer repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "request_id", + "org", + "_document_id", + "actor_id", + "user", + "user_id", + "user_agent", + "actor", + "operation_type", + "org_id", + "action", + "@timestamp", + "created_at" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_delete_repos.enable", "description": "The ability for enterprise members to delete repositories was enabled Members can delete or transfer repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "action", + "org_id", + "user_id", + "business", + "actor_id", + "@timestamp", + "_document_id", + "request_id", + "user", + "business_id", + "created_at", + "actor", + "org", + "operation_type", + "user_agent" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { @@ -2303,29 +3943,61 @@ "fields": [ "@timestamp", "_document_id", - "action", - "actor", + "user_agent", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "business", + "business_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "actor", + "action", + "operation_type" ] }, { "action": "members_can_view_dependency_insights.disable", "description": "The ability for enterprise members to view dependency insights was disabled. Members cannot view dependency insights in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-dependency-insights-in-your-enterprise", + "fields": [ + "business", + "created_at", + "user_id", + "business_id", + "user", + "org", + "operation_type", + "request_id", + "actor", + "_document_id", + "action", + "user_agent", + "actor_id", + "org_id", + "@timestamp" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "members_can_view_dependency_insights.enable", "description": "The ability for enterprise members to view dependency insights was enabled. Members can view dependency insights in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-dependency-insights-in-your-enterprise", + "fields": [ + "request_id", + "created_at", + "_document_id", + "user_agent", + "user", + "user_id", + "business", + "business_id", + "operation_type", + "@timestamp", + "action", + "actor", + "actor_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { @@ -2333,19 +4005,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2353,19 +4025,23 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2373,19 +4049,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2393,19 +4068,20 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2413,19 +4089,14 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "user", "@timestamp", "_document_id", + "user_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_access_security_header" ] }, { @@ -2433,19 +4104,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" ] }, { @@ -2453,19 +4124,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", + "action", "org", - "repo", - "user", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" ] }, { @@ -2473,19 +4143,23 @@ "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "repo", + "org_id", "_document_id", + "org", + "repo_id", "action", "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -2493,19 +4167,16 @@ "description": "A migration file for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance was deleted.", "docs_reference_links": "N/A", "fields": [ + "org", "@timestamp", - "_document_id", + "org_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "repo", + "_document_id", + "repo_id", + "request_access_security_header" ] }, { @@ -2513,97 +4184,309 @@ "description": "A migration file for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance was downloaded.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", + "org_id", + "request_id", + "oauth_application_id", + "repo_id", + "operation_type", + "@timestamp", + "user_agent", + "created_at", "org", + "action", + "_document_id", "repo", - "user", - "created_at", - "operation_type", + "actor", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { "action": "network_configuration.create", "description": "A network configuration for a hosted compute service was created.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "selected_service", + "network_settings_ids", + "previous_settings_ids", + "network_configuration_id" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "network_configuration.delete", "description": "A network configuration for a hosted compute service was deleted.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "network_configuration_id" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "network_configuration.update", "description": "A network configuration for a hosted compute service was updated.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "selected_service", + "network_settings_ids", + "previous_settings_ids" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", - "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" - }, - { - "action": "oauth_application.generate_client_secret", - "description": "An OAuth application's secret key was generated.", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], + "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" + }, + { + "action": "oauth_application.generate_client_secret", + "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "org.accept_business_invitation", "description": "An invitation sent to an organization to join an enterprise was accepted.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.add_billing_manager", "description": "A billing manager was added to an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization", + "fields": [ + "operation_type", + "_document_id", + "user_agent", + "org", + "user_id", + "action", + "created_at", + "org_id", + "user", + "actor", + "actor_id", + "@timestamp", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization" }, { @@ -2611,19 +4494,22 @@ "description": "An organization prevented access to resources by users with the given two-factor method.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", + "two_factor_method", "org", - "repo", + "org_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -2631,19 +4517,22 @@ "description": "A user joined an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "permission", "_document_id", - "action", - "actor", - "actor_id", - "business", "org", - "repo", + "operation_type", + "request_id", + "actor", "user", + "@timestamp", "created_at", - "operation_type", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -2651,19 +4540,24 @@ "description": "An outside collaborator was added to a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "inviter", "org", + "org_id", "repo", - "user", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2671,19 +4565,21 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "org_id", "org", - "repo", - "user", + "team", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "programmatic_access_type" ] }, { @@ -2691,18 +4587,19 @@ "description": "GitHub Advanced Security was disabled for new repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", "token_scopes" ] }, @@ -2711,18 +4608,21 @@ "description": "GitHub Advanced Security was disabled for all repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", "token_scopes" ] }, @@ -2731,18 +4631,19 @@ "description": "GitHub Advanced Security was enabled for new repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", "token_scopes" ] }, @@ -2751,18 +4652,21 @@ "description": "GitHub Advanced Security was enabled for all repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", "token_scopes" ] }, @@ -2770,30 +4674,105 @@ "action": "org.advanced_security_entity_policy_update", "description": "An enterprise owner updated the GitHub Advanced Security access policy for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "new_policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_disabled", "description": "An enterprise owner prevented GitHub Advanced Security features from being enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_enabled", "description": "An enterprise owner allowed GitHub Advanced Security features to be enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.allow_third_party_access_requests_from_outside_collaborators_disabled", "description": "Third-party application access for outside collaborators was disabled for the organization.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests" }, { "action": "org.allow_third_party_access_requests_from_outside_collaborators_enabled", "description": "Third-party application access for outside collaborators was enabled for the organization.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests" }, { @@ -2801,31 +4780,59 @@ "description": "The organization was archived.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "org.audit_log_export", "description": "An export of the organization audit log was created. If the export included a query, the log will list the query used and the number of audit log entries matching that query.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log", - "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log" - }, - { + "fields": [ + "org_id", + "operation_type", + "@timestamp", + "request_id", + "_document_id", + "actor", + "org", + "action", + "created_at", + "user_agent", + "actor_id" + ], + "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log" + }, + { "action": "org.audit_log_git_event_export", "description": "An export of the organization's Git events was created.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "start", + "end", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization" }, { @@ -2833,31 +4840,59 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "created_at", + "request_id", + "user_agent", + "action", "@timestamp", + "actor_id", + "org_id", "_document_id", - "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "org.block_user", "description": "An organization owner blocked a user from accessing the organization's repositories.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization", + "fields": [ + "actor", + "user_agent", + "org_id", + "created_at", + "_document_id", + "blocked_user", + "action", + "operation_type", + "actor_id", + "org", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization" }, { "action": "org.cancel_business_invitation", "description": "An invitation for an organization to join an enterprise was revoked", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "initiated_from" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { @@ -2865,19 +4900,22 @@ "description": "An invitation sent to a user to join an organization was revoked.", "docs_reference_links": "N/A", "fields": [ + "actor_id", + "org_id", + "request_id", + "email", "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", + "action", + "operation_type", + "user_agent", "org", - "repo", - "user", + "invitation_id", + "_document_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "invitee_email", + "token_scopes", + "programmatic_access_type" ] }, { @@ -2885,19 +4923,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" ] }, { @@ -2905,19 +4943,19 @@ "description": "Cleared two-factor authentication restrictions for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -2925,19 +4963,23 @@ "description": "Autofix for code scanning alerts was disabled for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -2945,19 +4987,21 @@ "description": "Autofix for code scanning alerts was enabled for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -2965,19 +5009,23 @@ "description": "Autofix for third party tools for code scanning alerts was disabled for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -2985,43 +5033,114 @@ "description": "Autofix for third party tools for code scanning alerts was enabled for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "org.codeql_disabled", "description": "Code scanning using the default setup was disabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codeql_enabled", "description": "Code scanning using the default setup was enabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codespaces_access_updated", "description": "Access to use Codespaces on internal and private repositories was updated for an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/enabling-or-disabling-github-codespaces-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enablement", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/enabling-or-disabling-github-codespaces-for-your-organization" }, { "action": "org.codespaces_ownership_updated", "description": "Ownership and payment for codespaces was updated for an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner_type", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization" }, { @@ -3029,19 +5148,18 @@ "description": "A team has been allowed to use Codespaces for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "team", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -3049,31 +5167,58 @@ "description": "A team has been prevented from using Codespaces for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "team", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "org.codespaces_trusted_repo_access_granted", "description": "GitHub Codespaces was granted trusted repository access to all other repositories in an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "org.codespaces_trusted_repo_access_revoked", "description": "GitHub Codespaces trusted repository access to all other repositories in an organization was revoked.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { @@ -3081,19 +5226,21 @@ "description": "A user has been allowed to use Codespaces for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -3101,55 +5248,135 @@ "description": "A user has been prevented from using Codespaces for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { "action": "org.config.disable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "request_id", + "org", + "action", + "operation_type", + "_document_id", + "actor", + "actor_id", + "@timestamp", + "user_agent", + "org_id", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "operation_type", + "@timestamp", + "created_at", + "user_agent", + "action", + "actor_id", + "org", + "_document_id", + "actor", + "org_id", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "_document_id", + "operation_type", + "actor_id", + "org_id", + "action", + "created_at", + "actor", + "org", + "@timestamp", + "user_agent", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "actor", + "org", + "org_id", + "request_id", + "operation_type", + "action", + "user_agent" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor", + "actor_id", + "org_id", + "action", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "org", + "created_at", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor_id", + "request_id", + "action", + "created_at", + "user_agent", + "actor", + "_document_id", + "org_id", + "operation_type", + "org", + "@timestamp" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { @@ -3157,49 +5384,126 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", + "token_id", + "token_scopes", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "org.confirm_business_invitation", "description": "An invitation for an organization to join an enterprise was confirmed.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.connect_usage_metrics_export", "description": "Server statistics were exported for the organization.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/analyzing-how-your-team-works-with-server-statistics/exporting-server-statistics", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Exporting Server Statistics" }, { "action": "org.create", "description": "An organization was created.", "docs_reference_links": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch", + "fields": [ + "request_id", + "org", + "actor_id", + "actor", + "action", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "org_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch" }, { "action": "org.create_actions_secret", "description": "A GitHub Actions secret was created for an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.create_actions_variable", "description": "A GitHub Actions variable was created for an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -3207,18 +5511,20 @@ "description": "A Codespaces or Dependabot secret was created for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "key", + "visibility", + "integration", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", "token_scopes" ] }, @@ -3226,18 +5532,90 @@ "action": "org_credential_authorization.deauthorize", "description": "A member removed the SSO (SAML or OIDC) authorization from a credential that had access to your organization.", "docs_reference_links": "/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor_id", + "org_id", + "business", + "action", + "@timestamp", + "org", + "_document_id", + "business_id", + "actor", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "oauth_credential_type", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Authorizing a personal access token for use with single sign-on" }, { "action": "org_credential_authorization.grant", "description": "A member authorized credentials for use with SAML or OIDC single sign-on.", "docs_reference_links": "/authentication/authenticating-with-saml-single-sign-on", + "fields": [ + "user_agent", + "actor", + "@timestamp", + "created_at", + "org_id", + "business_id", + "operation_type", + "request_id", + "_document_id", + "action", + "actor_id", + "business", + "org", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "oauth_credential_type", + "request_access_security_header", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Authenticating with single sign-on" }, { "action": "org_credential_authorization.revoke", "description": "An owner revoked authorized credentials.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization", + "fields": [ + "actor", + "org", + "@timestamp", + "owner", + "oauth_application_id", + "org_id", + "operation_type", + "action", + "business", + "request_id", + "created_at", + "business_id", + "actor_id", + "_document_id", + "user_agent", + "oauth_credential_type", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { @@ -3245,37 +5623,80 @@ "description": "An organization was deleted by a user or staff.", "docs_reference_links": "N/A", "fields": [ + "user_agent", "@timestamp", "_document_id", - "action", + "created_at", "actor", - "actor_id", - "business", + "org_id", "org", - "repo", - "user", - "created_at", + "action", + "actor_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "request_access_security_header" ] }, { "action": "org.disable_member_team_creation_permission", "description": "Team creation was limited to owners.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "actor", + "@timestamp", + "_document_id", + "user", + "user_id", + "action", + "created_at", + "actor_id", + "user_agent", + "org", + "org_id", + "operation_type", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.disable_oauth_app_restrictions", "description": "Third-party application access restrictions for an organization were disabled.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "fields": [ + "actor_id", + "org_id", + "action", + "_document_id", + "request_id", + "@timestamp", + "actor", + "org", + "operation_type", + "user_agent", + "created_at" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization" }, { "action": "org.disable_reader_discussion_creation_permission", "description": "An organization owner limited discussion creation to users with at least triage permission in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { @@ -3283,25 +5704,38 @@ "description": "SAML single sign-on was disabled for an organization.", "docs_reference_links": "N/A", "fields": [ + "org_id", + "sso_url", + "issuer", + "action", "@timestamp", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "operation_type" ] }, { "action": "org.disable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the organization was disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" }, { @@ -3309,19 +5743,17 @@ "description": "A two-factor authentication requirement was disabled for the organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "created_at", + "org", + "org_id", "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "@timestamp", + "_document_id", + "user_agent" ] }, { @@ -3329,19 +5761,19 @@ "description": "An organization owner disabled the display of a commenter's full name in an organization. Members cannot see a comment author's full name.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", + "user_id", "user", - "created_at", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "created_at", + "user_agent", + "org", + "actor_id", + "org_id", + "request_id" ] }, { @@ -3349,55 +5781,143 @@ "description": "An organization owner enabled the display of a commenter's full name in an organization. Members can see a comment author's full name.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "org", + "user_agent", + "request_id", + "actor", "_document_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "user", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id" ] }, { "action": "org.enable_member_team_creation_permission", "description": "Team creation by members was allowed.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "org_id", + "user", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "user_agent", + "actor_id", + "org", + "request_id", + "action", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.enable_oauth_app_restrictions", "description": "Third-party application access restrictions for an organization were enabled.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization", + "fields": [ + "actor_id", + "operation_type", + "org", + "created_at", + "_document_id", + "actor", + "org_id", + "action", + "user_agent", + "request_id", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization" }, { "action": "org.enable_reader_discussion_creation_permission", "description": "An organization owner allowed users with read access to create discussions in an organization", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.enable_saml", "description": "SAML single sign-on was enabled for the organization.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization", + "fields": [ + "actor_id", + "action", + "operation_type", + "actor", + "sso_url", + "org", + "created_at", + "@timestamp", + "issuer", + "org_id", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Enabling and testing SAML single sign-on for your organization" }, { "action": "org.enable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the organization was enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" }, { "action": "org.enable_two_factor_requirement", "description": "Two-factor authentication is now required for the organization.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "actor_id", + "action", + "_document_id", + "org", + "@timestamp", + "actor", + "user_agent", + "org_id", + "operation_type", + "created_at", + "request_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { @@ -3405,19 +5925,18 @@ "description": "An organization owner granted a member access to manage all GitHub Apps owned by an organization.", "docs_reference_links": "N/A", "fields": [ + "user_agent", + "org_id", + "manager", "@timestamp", - "_document_id", - "action", + "request_id", "actor", + "operation_type", + "_document_id", "actor_id", - "business", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "created_at" ] }, { @@ -3425,25 +5944,43 @@ "description": "An organization owner removed access to manage all GitHub Apps owned by an organization from an organization member.", "docs_reference_links": "N/A", "fields": [ + "org_id", "@timestamp", - "_document_id", + "org", + "user_agent", + "request_id", "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "manager", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "_document_id" ] }, { "action": "org.invite_member", "description": "A new user was invited to join an organization.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization", + "fields": [ + "org", + "user_id", + "invitation_id", + "org_id", + "user", + "action", + "operation_type", + "_document_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "actor_id", + "request_id", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization" }, { @@ -3451,19 +5988,19 @@ "description": "An organization was invited to join an enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -3471,19 +6008,19 @@ "description": "The ability for enterprise members to update protected branches was disabled. Only enterprise owners can update protected branches.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", + "org_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -3491,25 +6028,41 @@ "description": "The ability for enterprise members to update protected branches was enabled. Members of an organization can update protected branches.", "docs_reference_links": "N/A", "fields": [ + "org", + "org_id", + "user_agent", + "actor_id", + "user_id", + "operation_type", "@timestamp", + "created_at", + "request_id", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action" ] }, { "action": "org.oauth_app_access_approved", "description": "Access to an organization was granted for an OAuth App.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization", + "fields": [ + "url", + "actor", + "user_agent", + "request_id", + "actor_id", + "operation_type", + "org_id", + "_document_id", + "org", + "action", + "created_at", + "@timestamp", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization" }, { @@ -3517,25 +6070,41 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "url", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { "action": "org.oauth_app_access_denied", "description": "Access was disabled for an OAuth App that was previously approved.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization", + "fields": [ + "request_id", + "url", + "created_at", + "org_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "org", + "operation_type", + "actor", + "actor_id", + "oauth_application_name" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization" }, { @@ -3543,19 +6112,20 @@ "description": "An organization member requested that an owner grant an OAuth App access to an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "operation_type", + "created_at", + "user_agent", "actor_id", - "business", + "_document_id", + "request_id", + "url", + "org_id", + "action", + "@timestamp", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header", + "oauth_application_name" ] }, { @@ -3563,19 +6133,20 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "url", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -3584,78 +6155,231 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", - "_document_id", + "created_at", + "request_id", + "org_id", "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "user_agent", "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "org" ] }, { "action": "org.recovery_code_failed", "description": "An organization owner failed to sign into a organization with an external identity provider (IdP) using a recovery code.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "reason", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing your organization if your identity provider is unavailable" }, { "action": "org.recovery_code_used", "description": "An organization owner successfully signed into an organization with an external identity provider (IdP) using a recovery code.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Accessing your organization if your identity provider is unavailable" }, { "action": "org.recovery_codes_downloaded", "description": "An organization owner downloaded the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_generated", "description": "An organization owner generated the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_printed", "description": "An organization owner printed the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_viewed", "description": "An organization owner viewed the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization", + "fields": [ + "actor", + "operation_type", + "@timestamp", + "_document_id", + "request_id", + "org", + "org_id", + "action", + "created_at", + "user_agent", + "actor_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "org.remove_actions_secret", "description": "A GitHub Actions secret was removed from an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.remove_actions_variable", "description": "A GitHub Actions variable was removed from an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "org.remove_billing_manager", "description": "A billing manager was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "user_id", + "user_agent", + "org_id", + "user", + "action", + "_document_id", + "operation_type", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "created_at" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { @@ -3663,19 +6387,22 @@ "description": "Removed a two-factor authentication method restriction for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", + "two_factor_method", "org", - "repo", + "org_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -3683,18 +6410,21 @@ "description": "A Codespaces or Dependabot secret was removed from an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "key", + "integration", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", "token_scopes" ] }, @@ -3703,19 +6433,21 @@ "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", - "action", - "actor", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", "created_at", + "user", "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id", + "org", + "token_scopes", + "programmatic_access_type" ] }, { @@ -3723,19 +6455,21 @@ "description": "An outside collaborator was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", "org", - "repo", "user", + "org_id", "created_at", + "request_id", + "@timestamp", + "action", "operation_type", + "user_agent", + "_document_id", + "actor", + "actor_id", + "user_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -3743,25 +6477,41 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "org_id", "org", - "repo", - "user", + "team", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "programmatic_access_type" ] }, { "action": "org.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization", + "fields": [ + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor_id", + "org", + "created_at", + "actor", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { @@ -3769,151 +6519,514 @@ "description": "An organization was renamed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user_agent", "_document_id", + "@timestamp", + "org", "action", "actor", + "old_login", + "org_id", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_access_security_header" ] }, { "action": "org.required_workflow_create", "description": "Triggered when a required workflow is created.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.required_workflow_delete", "description": "Triggered when a required workflow is deleted.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.required_workflow_update", "description": "Triggered when a required workflow is updated.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.restore_member", "description": "An organization member was restored.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization", + "fields": [ + "user", + "actor", + "user_id", + "_document_id", + "action", + "created_at", + "org_id", + "operation_type", + "request_id", + "@timestamp", + "user_agent", + "org", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization" }, { "action": "org.revoke_external_identity", "description": "A member's linked identity was revoked.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity", + "fields": [ + "actor", + "org", + "org_id", + "user", + "operation_type", + "user_id", + "@timestamp", + "action", + "actor_id", + "user_agent", + "_document_id", + "request_id", + "created_at" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.revoke_sso_session", "description": "A member's SAML session was revoked.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity", + "fields": [ + "actor_id", + "created_at", + "user", + "action", + "operation_type", + "@timestamp", + "org", + "org_id", + "user_agent", + "request_id", + "actor", + "user_id", + "_document_id" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.runner_group_created", "description": "A self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_removed", "description": "A self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_renamed", "description": "A self-hosted runner group was renamed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runner_removed", "description": "The REST API was used to remove a self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "org.runner_group_runners_added", "description": "A self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runners_updated", "description": "A runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "org.runner_group_updated", "description": "The configuration of a self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_visiblity_updated", "description": "The visibility of a self-hosted runner group was updated via the REST API.", "docs_reference_links": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization", - "docs_reference_titles": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization" - }, - { - "action": "org_secret_scanning_automatic_validity_checks.disabled", - "description": "Automatic partner validation checks have been disabled at the organization level", - "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", - "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "visibility", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], + "docs_reference_titles": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization" + }, + { + "action": "org_secret_scanning_automatic_validity_checks.disabled", + "description": "Automatic partner validation checks have been disabled at the organization level", + "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], + "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { @@ -3921,19 +7034,22 @@ "description": "Generic secrets have been disabled at the organization level", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -3941,109 +7057,374 @@ "description": "Generic secrets have been enabled at the organization level", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { "action": "org_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_disabled", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_enabled", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_updated", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_disable", "description": "Push protection for secret scanning was disabled.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_enable", "description": "Push protection for secret scanning was enabled.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_disable", "description": "Push protection for secret scanning was disabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", - "docs_reference_titles": "About push protection" - }, - { - "action": "org.secret_scanning_push_protection_new_repos_enable", - "description": "Push protection for secret scanning was enabled for all new repositories in the organization.", - "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], + "docs_reference_titles": "About push protection" + }, + { + "action": "org.secret_scanning_push_protection_new_repos_enable", + "description": "Push protection for secret scanning was enabled for all new repositories in the organization.", + "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed", "description": "The push protection setting was changed for a secret type for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "secret_type", + "secret_type_display_name", + "push_protection_setting" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { @@ -4051,19 +7432,27 @@ "description": "A CSV export was requested on the CodeQL pull request alerts page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { @@ -4071,19 +7460,26 @@ "description": "A CSV export was requested on the Coverage page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -4091,19 +7487,28 @@ "description": "A CSV export was requested on the Overview Dashboard page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -4111,55 +7516,137 @@ "description": "A CSV export was requested on the Risk page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "org.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "org_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { @@ -4167,37 +7654,77 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user_agent", "_document_id", - "action", + "org_id", + "operation_type", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "@timestamp", + "request_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "action" ] }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { @@ -4205,31 +7732,68 @@ "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", + "user_agent", "actor", "actor_id", - "business", + "org_id", + "@timestamp", "org", - "repo", - "user", - "created_at", + "issuer", + "business", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_id", + "business_id", + "_document_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "org.transfer", "description": "An organization was transferred between enterprise accounts.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "from_business", + "to_business", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.transfer_outgoing", "description": "An organization was transferred between enterprise accounts.", "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "business", + "business_id", + "from_business", + "to_business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { @@ -4237,43 +7801,107 @@ "description": "The organization was unarchived.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "org.unblock_user", "description": "A user was unblocked from an organization.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization", + "fields": [ + "oauth_application_id", + "_document_id", + "blocked_user", + "action", + "operation_type", + "@timestamp", + "request_id", + "created_at", + "actor", + "actor_id", + "org", + "org_id", + "user_agent" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization" }, { "action": "org.update_actions_secret", "description": "A GitHub Actions secret was updated for an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "created_at", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.update_actions_settings", "description": "An organization owner or site administrator updated GitHub Actions policy settings for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "updated_allowed_types", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization" }, { "action": "org.update_actions_variable", "description": "A GitHub Actions variable was updated for an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -4281,19 +7909,20 @@ "description": "The default repository permission level for organization members was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "org", + "org_id", + "request_id", + "@timestamp", + "user_agent", + "permission", + "actor_id", + "old_permission", + "_document_id", + "programmatic_access_type" ] }, { @@ -4301,19 +7930,22 @@ "description": "A Codespaces or Dependabot secret was updated for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "key", + "visibility", + "integration", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -4322,18 +7954,20 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", + "org_id", + "created_at", "_document_id", + "user", + "user_id", "action", - "actor", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "old_permission", + "permission", + "actor", + "user_agent", "operation_type", - "programmatic_access_type", - "token_scopes" + "org" ] }, { @@ -4341,31 +7975,60 @@ "description": "The create repository permission for organization members was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "action", + "@timestamp", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", + "permission", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "org.update_new_repository_default_branch_setting", "description": "The name of the default branch was changed for new repositories in the organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization" }, { @@ -4373,19 +8036,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "old_repo_runners_policy", + "new_repo_runners_policy", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4393,67 +8056,173 @@ "description": "An organization's SAML provider settings were updated.", "docs_reference_links": "N/A", "fields": [ + "user_agent", + "sso_url", + "actor_id", + "operation_type", "@timestamp", + "issuer", + "org", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", - "user", + "org_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "action" ] }, { "action": "org.update_terms_of_service", "description": "An organization changed between the Standard Terms of Service and the GitHub Customer Agreement.", "docs_reference_links": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement", + "fields": [ + "request_id", + "org_id", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org", + "action", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement" }, { "action": "organization_default_label.create", "description": "A default label was created for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#creating-a-default-label", + "fields": [ + "request_id", + "actor_id", + "actor", + "org", + "org_id", + "operation_type", + "_document_id", + "action", + "created_at", + "@timestamp", + "user_agent", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#creating-a-default-label" }, { "action": "organization_default_label.destroy", "description": "A default label was deleted for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#deleting-a-default-label", + "fields": [ + "operation_type", + "request_id", + "actor", + "@timestamp", + "_document_id", + "actor_id", + "org_id", + "org", + "action", + "created_at", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#deleting-a-default-label" }, { "action": "organization_default_label.update", "description": "A default label was edited for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#editing-a-default-label", + "fields": [ + "org", + "created_at", + "@timestamp", + "actor", + "action", + "user_agent", + "actor_id", + "org_id", + "operation_type", + "request_id", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#editing-a-default-label" }, { "action": "organization_domain.approve", "description": "A domain was approved for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization" }, { "action": "organization_domain.create", "description": "A domain was added to an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "created_at", + "_document_id", + "domain_name", + "action", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "user_agent", + "actor" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "organization_domain.destroy", "description": "A domain was removed from an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain", + "fields": [ + "action", + "domain_name", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "created_at" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain" }, { "action": "organization_domain.verify", "description": "A domain was verified for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "operation_type", + "domain_name", + "@timestamp", + "user_agent", + "request_id", + "actor", + "action", + "created_at", + "_document_id", + "actor_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { @@ -4461,19 +8230,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "team", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4481,19 +8249,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4501,19 +8269,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "team", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4521,67 +8288,222 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "programmatic_access_type" ] }, { "action": "organization_projects_change.clear", "description": "An enterprise owner cleared the policy setting for organization-wide project boards in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "actor", + "business_id", + "@timestamp", + "actor_id", + "user", + "user_id", + "action", + "user_agent", + "_document_id", + "created_at", + "operation_type", + "request_id", + "business" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_projects_change.disable", "description": "Organization projects were disabled for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "org_id", + "action", + "user", + "org", + "created_at", + "user_agent", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "actor", + "user_id", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_projects_change.enable", "description": "Organization projects were enabled for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "actor_id", + "org_id", + "created_at", + "user_id", + "org", + "@timestamp", + "_document_id", + "user_agent", + "actor", + "request_id", + "user", + "action", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_role.assign", "description": "An organization role was assigned to a user or team.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "organization_role_id", + "organization_role_name", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.create", "description": "A custom organization role was created in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", - "docs_reference_titles": "About custom organization roles" - }, - { - "action": "organization_role.destroy", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], + "docs_reference_titles": "About custom organization roles" + }, + { + "action": "organization_role.destroy", "description": "A custom organization role was deleted in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.revoke", "description": "A user or team was unassigned an organization role.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "organization_role_id", + "organization_role_name", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.update", "description": "A custom organization role was edited in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "old_role_permissions", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "old_base_role" + ], "docs_reference_titles": "About custom organization roles" }, { @@ -4589,25 +8511,45 @@ "description": "An organization's default project base role was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "old_project_base_role", + "new_project_base_role", "business", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { "action": "packages.package_deleted", "description": "An entire package was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { @@ -4615,25 +8557,49 @@ "description": "A package was published or republished to an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", + "actor", "org", + "org_id", "repo", - "user", - "created_at", + "repo_id", + "package", + "ecosystem", + "version_count", + "is_republished", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" ] }, { "action": "packages.package_version_deleted", "description": "A specific package version was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "version", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "ecosystem", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { @@ -4641,37 +8607,87 @@ "description": "A specific package version was published or republished to a package.", "docs_reference_links": "N/A", "fields": [ + "org_id", + "ecosystem", + "package", + "version", + "actor_id", + "user_agent", + "is_republished", + "actor", + "action", + "operation_type", "@timestamp", + "created_at", "_document_id", - "action", - "actor", - "actor_id", "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "business_id", + "actor_is_bot" ] }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { @@ -4679,19 +8695,18 @@ "description": "A new payment method was added, such as a new credit card or PayPal account.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", "_document_id", "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -4699,19 +8714,16 @@ "description": "A payment method was removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "_document_id", + "request_access_security_header" ] }, { @@ -4719,25 +8731,40 @@ "description": "An existing payment method was updated.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", "@timestamp", - "_document_id", "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "_document_id", + "request_access_security_header" ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { @@ -4745,19 +8772,22 @@ "description": "The configured restriction for access to resources via personal access tokens was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "programmatic_access_type", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -4765,25 +8795,44 @@ "description": "The configured restriction for access to resources via personal access tokens was enabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "programmatic_access_type", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { @@ -4791,19 +8840,21 @@ "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "request_access_security_header", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -4811,19 +8862,21 @@ "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "request_access_security_header", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -4831,19 +8884,23 @@ "description": "A personal access token expiration limit was set.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", + "user_agent", + "request_id", "programmatic_access_type", - "token_scopes" + "token_expiration", + "old_token_expiration", + "exempt_administrators", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -4851,19 +8908,21 @@ "description": "A personal access token expiration limit was unset.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "old_token_expiration", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -4871,55 +8930,165 @@ "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "user_programmatic_access_name", "org", - "repo", - "user", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_programmatic_access_request_id" ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "prebuild_configuration.create", "description": "A GitHub Codespaces prebuild configuration for a repository was created.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.destroy", "description": "A GitHub Codespaces prebuild configuration for a repository was deleted.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.run_triggered", "description": "A user initiated a run of a GitHub Codespaces prebuild configuration for a repository branch.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.update", "description": "A GitHub Codespaces prebuild configuration for a repository was edited.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { @@ -4927,19 +9096,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4947,19 +9114,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4967,19 +9134,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4987,19 +9152,19 @@ "description": "An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", + "user_id", "action", - "actor", + "operation_type", + "@timestamp", + "business_id", "actor_id", - "business", - "org", - "repo", "user", + "business", + "request_id", + "actor", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id" ] }, { @@ -5007,19 +9172,23 @@ "description": "An enterprise owner disabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are never allowed to be forked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "repo_id", + "created_at", + "actor_id", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "repo", + "action", + "user_agent", + "@timestamp", + "org", "operation_type", + "request_id", + "user_id", + "org_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5027,19 +9196,23 @@ "description": "An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "actor_id", + "user_id", + "operation_type", "_document_id", "action", - "actor", - "actor_id", - "business", - "org", + "@timestamp", "repo", + "org", + "business", + "user_agent", + "request_id", + "actor", + "repo_id", "user", + "org_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "business_id" ] }, { @@ -5047,19 +9220,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -5067,19 +9240,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -5087,19 +9260,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -5107,25 +9280,39 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { @@ -5133,19 +9320,17 @@ "description": "A project board visibility was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", + "actor", + "user_agent", + "operation_type", "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" ] }, { @@ -5153,25 +9338,48 @@ "description": "A project's base role was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "old_project_base_role", + "new_project_base_role", + "project_number", + "public_project", "business", + "project_id", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { @@ -5179,19 +9387,25 @@ "description": "A collaborator was added to a project.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "collaborator_type", "org", - "repo", - "user", + "org_id", + "collaborator", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "public_project", + "project_name", + "project_role", + "old_project_role", + "request_access_security_header" ] }, { @@ -5199,19 +9413,20 @@ "description": "A collaborator was removed from a project.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "collaborator_type", "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5219,19 +9434,25 @@ "description": "A project collaborator's permission level was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "public_project", + "project_name", + "collaborator_type", + "project_role", + "old_project_role", + "project_id", "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5239,19 +9460,17 @@ "description": "A project board was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "operation_type", + "user", "_document_id", - "action", - "actor", + "request_id", + "user_id", + "user_agent", + "@timestamp", "actor_id", - "business", - "org", - "repo", - "user", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "actor" ] }, { @@ -5259,31 +9478,57 @@ "description": "A project board was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "request_id", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { @@ -5291,25 +9536,41 @@ "description": "A repository was linked to a project board.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "repo_id", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "org_id", + "user_agent", + "request_id", + "actor", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { @@ -5317,19 +9578,22 @@ "description": "A project board was renamed.", "docs_reference_links": "N/A", "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", "@timestamp", + "repo", "_document_id", - "action", + "user_agent", + "org_id", + "business_id", "actor", - "actor_id", - "business", + "repo_id", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "business" ] }, { @@ -5337,19 +9601,19 @@ "description": "A repository was unlinked from a project board.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "repo", + "repo_id", + "operation_type", "actor", + "action", + "created_at", "actor_id", - "business", + "_document_id", + "request_id", + "@timestamp", + "user_agent", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id" ] }, { @@ -5357,19 +9621,17 @@ "description": "The project's base-level permission for all organization members was changed or removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "@timestamp", + "_document_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" ] }, { @@ -5377,19 +9639,18 @@ "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "org_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" ] }, { @@ -5397,31 +9658,60 @@ "description": "A user was added to or removed from a project board or had their permission level changed.", "docs_reference_links": "N/A", "fields": [ + "request_id", + "user_id", + "operation_type", "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_agent", + "actor", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { @@ -5429,19 +9719,20 @@ "description": "A project's visibility was changed from public to private.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "project_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "project_kind", + "project_name" ] }, { @@ -5449,25 +9740,45 @@ "description": "A project's visibility was changed from private to public.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "project_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "project_kind", + "project_name", + "request_access_security_header" ] }, { "action": "protected_branch.authorized_users_teams", "description": "The users, teams, or integrations allowed to bypass a branch protection were changed.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "fields": [ + "repo", + "action", + "org_id", + "user_agent", + "name", + "created_at", + "_document_id", + "operation_type", + "actor", + "repo_id", + "org", + "request_id", + "actor_id", + "oauth_application_id", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches" }, { @@ -5475,19 +9786,29 @@ "description": "A protected branch allowance was given to a specific user, team or integration.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", + "name", + "authorized_actors", + "policy", "repo", - "user", - "created_at", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -5495,19 +9816,27 @@ "description": "Branch protection was enabled on a branch.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "repo_id", + "user_id", "@timestamp", + "user_agent", + "repo", + "name", + "org_id", + "user", "_document_id", - "action", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "authorized_actor_names", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" ] }, { @@ -5515,19 +9844,24 @@ "description": "Branch protection was disabled on a branch.", "docs_reference_links": "N/A", "fields": [ + "name", + "repo", "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "actor_id", + "request_id", + "repo_id", + "org_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "user_agent", + "created_at", + "_document_id", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" ] }, { @@ -5535,19 +9869,22 @@ "description": "Enforcement of dismissing stale pull requests was updated on a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", + "dismiss_stale_reviews_on_push", + "org_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "request_id", + "_document_id", + "@timestamp", + "actor_id", + "repo_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "repo", + "org", + "name", + "programmatic_access_type" ] }, { @@ -5555,19 +9892,24 @@ "description": "Enforcement of restricting users and/or teams who can dismiss reviews was updated on a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "repo", + "repo_id", "actor", + "oauth_application_id", + "authorized_actors_only", + "authorized_actors", + "created_at", + "user_agent", + "name", + "_document_id", + "org_id", + "request_id", + "@timestamp", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "programmatic_access_type" ] }, { @@ -5575,19 +9917,32 @@ "description": "A branch protection requirement was overridden by a repository administrator.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "repo_id", + "created_at", "actor", + "reasons", + "@timestamp", + "before", + "after", "actor_id", - "business", - "org", "repo", - "user", - "created_at", "operation_type", + "user_agent", + "branch", + "overridden_codes", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "referrer", + "business", + "business_id", + "deploy_key_fingerprint", + "token_scopes", "programmatic_access_type", - "token_scopes" + "compliant_pull_request_ids", + "rule_suite_id" ] }, { @@ -5595,19 +9950,31 @@ "description": "A branch update attempt was rejected.", "docs_reference_links": "N/A", "fields": [ + "repo", + "org", "@timestamp", + "created_at", "_document_id", - "action", - "actor", - "actor_id", "business", - "org", - "repo", - "user", - "created_at", + "org_id", "operation_type", + "request_id", + "repo_id", + "actor", + "branch", + "before", + "overridden_codes", + "after", + "action", + "reasons", + "actor_id", + "business_id", + "deploy_key_fingerprint", + "token_scopes", "programmatic_access_type", - "token_scopes" + "compliant_pull_request_ids", + "actor_is_bot", + "rule_suite_id" ] }, { @@ -5615,19 +9982,23 @@ "description": "Branch protection was enforced for repository administrators.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "request_id", "actor_id", - "business", + "admin_enforced", + "operation_type", + "user_agent", + "actor", "org", + "name", "repo", - "user", + "@timestamp", + "action", + "repo_id", + "org_id", + "_document_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "programmatic_access_type" ] }, { @@ -5635,19 +10006,22 @@ "description": "Branch deletion was enabled or disabled for a protected branch.", "docs_reference_links": "N/A", "fields": [ + "name", + "operation_type", + "request_id", + "repo", "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", + "org_id", "org", - "repo", - "user", + "action", + "allow_deletions_enforcement_level", + "_document_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_id", + "user_agent", + "actor", + "repo_id", + "request_access_security_header" ] }, { @@ -5655,25 +10029,49 @@ "description": "Force pushes were enabled or disabled for a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "org_id", + "actor_id", + "name", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "allow_force_pushes_enforcement_level", + "@timestamp", + "org", + "action", + "created_at", + "user_agent", + "repo_id", + "token_scopes", + "programmatic_access_type" ] }, { "action": "protected_branch.update_ignore_approvals_from_contributors", "description": "Ignoring of approvals from contributors to a pull request was enabled or disabled for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "ignore_approvals_from_contributors", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { @@ -5681,37 +10079,99 @@ "description": "Required linear commit history was enabled or disabled for a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "actor_id", "action", + "user_agent", + "operation_type", "actor", - "actor_id", - "business", - "org", + "linear_history_requirement_enforcement_level", "repo", - "user", + "request_id", + "name", + "org_id", + "repo_id", + "org", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "programmatic_access_type" ] }, { "action": "protected_branch.update_lock_allows_fetch_and_merge", "description": "Fork syncing was enabled or disabled for a read-only branch", "docs_reference_links": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "lock_allows_fetch_and_merge", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_lock_branch_enforcement_level", "description": "The enforcement of a branch lock was updated.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "enforcement_level", + "lock_branch_enforcement_level", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { @@ -5719,19 +10179,24 @@ "description": "A branch name pattern was updated for a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "name", + "old_name", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5739,19 +10204,25 @@ "description": "Enforcement of required pull request reviews was updated for a branch. Can be 0 (deactivated), 1 (non-admins), or 2 (everyone).", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "name", + "org_id", "_document_id", - "action", - "actor", "actor_id", - "business", + "@timestamp", + "business_id", + "request_id", + "pull_request_reviews_enforcement_level", "org", "repo", - "user", + "action", + "business", + "user_agent", "created_at", + "repo_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "token_scopes", + "programmatic_access_type" ] }, { @@ -5759,25 +10230,46 @@ "description": "Enforcement of required code owner review was updated for a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "org_id", + "created_at", + "require_code_owner_review", + "operation_type", + "name", + "user_agent", "action", + "@timestamp", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "org", + "repo_id", + "_document_id", + "programmatic_access_type" ] }, { "action": "protected_branch.update_require_last_push_approval", "description": "Someone other than the person who pushed the last code-modifying commit to the branch must approve pull requests for the branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "require_last_push_approval", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging" }, { @@ -5785,19 +10277,22 @@ "description": "Enforcement of the required number of approvals before merging was updated on a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", + "required_approving_review_count", "repo", - "user", + "request_id", + "repo_id", "created_at", + "actor", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "name", + "org_id", + "action", + "actor_id", + "_document_id", + "org", + "@timestamp", + "programmatic_access_type" ] }, { @@ -5805,19 +10300,25 @@ "description": "Enforcement of required status checks was updated for a branch.", "docs_reference_links": "N/A", "fields": [ + "actor", + "org_id", + "user_agent", "@timestamp", "_document_id", + "name", + "repo", "action", - "actor", - "actor_id", + "business_id", + "repo_id", "business", - "org", - "repo", - "user", - "created_at", + "actor_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_id", + "required_status_checks_enforcement_level", + "org", + "token_scopes", + "programmatic_access_type" ] }, { @@ -5825,19 +10326,22 @@ "description": "Enforcement of required commit signing was updated for a branch.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "name", "@timestamp", + "created_at", "_document_id", + "request_id", + "repo_id", + "org", + "org_id", "action", "actor", "actor_id", - "business", - "org", + "signature_requirement_enforcement_level", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "programmatic_access_type" ] }, { @@ -5845,85 +10349,286 @@ "description": "Enforcement of required status checks was updated for a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "request_id", "actor_id", - "business", + "_document_id", "org", - "repo", - "user", + "@timestamp", "created_at", + "repo_id", + "org_id", + "user_agent", + "name", + "actor", + "repo", "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "strict_required_status_checks_policy", + "programmatic_access_type" ] }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verify", "description": "A user account's SSH key or a repository's deploy key was verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "pull_request.close", "description": "A pull request was closed without being merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request" }, { "action": "pull_request.converted_to_draft", "description": "A pull request was converted to a draft.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft" }, { "action": "pull_request.create", "description": "A pull request was created.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request" }, { "action": "pull_request.create_review_request", "description": "A review was requested on a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { @@ -5931,19 +10636,17 @@ "description": "A pull request was marked as in progress.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "pull_request_id", + "business_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -5951,31 +10654,64 @@ "description": "A pull request was considered merged because the pull request's commits were merged into the target branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "pull_request_id", + "business_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" ] }, { "action": "pull_request.merge", "description": "A pull request was merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request" }, { "action": "pull_request.ready_for_review", "description": "A pull request was marked as ready for review.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review" }, { @@ -5983,25 +10719,52 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "pull_request_id", + "pull_request_url", + "pull_request_title", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "pull_request.remove_review_request", "description": "A review request was removed from a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { @@ -6009,25 +10772,39 @@ "description": "A pull request was reopened after previously being closed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "pull_request_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" ] }, { "action": "pull_request_review_comment.create", "description": "A review comment was added to a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "comment_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { @@ -6035,19 +10812,20 @@ "description": "A review comment on a pull request was deleted.", "docs_reference_links": "N/A", "fields": [ + "user_agent", + "actor", "@timestamp", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", "repo", - "user", "created_at", + "request_id", + "comment_id", + "actor_id", + "repo_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "programmatic_access_type" ] }, { @@ -6055,19 +10833,18 @@ "description": "A review comment on a pull request was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "operation_type", + "user_agent", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "_document_id", + "@timestamp", + "comment_id", + "token_scopes", + "programmatic_access_type" ] }, { @@ -6075,73 +10852,239 @@ "description": "A review on a pull request was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "pull_request_id", + "review_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "pull_request_review.dismiss", "description": "A review on a pull request was dismissed.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review" }, { "action": "pull_request_review.submit", "description": "A review on a pull request was submitted.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { @@ -6149,42 +11092,46 @@ "description": "Pull request merge options were changed for a repository.", "docs_reference_links": "N/A", "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", "@timestamp", "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "action", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "token_scopes", + "programmatic_access_type", + "actor_is_bot" ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { @@ -6192,36 +11139,24 @@ "description": "Autofix for code scanning alerts was disabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -6229,36 +11164,24 @@ "description": "Autofix for code scanning alerts was enabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -6266,36 +11189,24 @@ "description": "Autofix for third party tools for code scanning alerts was disabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -6303,42 +11214,51 @@ "description": "Autofix for third party tools for code scanning alerts was enabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { @@ -6346,36 +11266,19 @@ "description": "Prevention of direct alert dismissal for code scanning was disabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "request_access_security_header", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "repo_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" ] }, { @@ -6383,54 +11286,102 @@ "description": "Prevention of direct alert dismissal for code scanning was enabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "request_access_security_header", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "repo_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" ] }, { "action": "repo.codeql_disabled", "description": "Code scanning using the default setup was disabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_enabled", "description": "Code scanning using the default setup was enabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "query_suite", + "threat_model", + "languages", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_updated", "description": "Code scanning using the default setup was updated for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "query_suite", + "threat_model", + "languages", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { @@ -6438,36 +11389,20 @@ "description": "GitHub Codespaces was granted trusted repository access to this repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "@timestamp", + "created_at", + "_document_id", + "public_repo" ] }, { @@ -6475,72 +11410,136 @@ "description": "GitHub Codespaces trusted repository access to this repository was revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { @@ -6548,54 +11547,108 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", + "oauth_application_id", + "token_id", + "token_scopes", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" }, { "action": "repo.create_actions_secret", "description": "A GitHub Actions secret was created for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -6603,48 +11656,77 @@ "description": "A Codespaces or Dependabot secret was created for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "key", + "visibility", + "integration", "repo", - "user", - "created_at", + "repo_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "@timestamp", + "created_at", + "_document_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "programmatic_access_type", + "request_access_security_header" ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { "action": "repo.download_zip", "description": "A source code archive of a repository was downloaded as a ZIP file.", "docs_reference_links": "/repositories/working-with-files/using-files/downloading-source-code-archives", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/working-with-files/using-files/downloading-source-code-archives" }, { @@ -6652,36 +11734,23 @@ "description": "A GitHub Pages custom domain was modified in a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "@timestamp", + "visibility", "repo", + "repo_id", "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", "created_at", + "_document_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "old_cname", + "programmatic_access_type" ] }, { @@ -6689,36 +11758,21 @@ "description": "A GitHub Pages site was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "actor_id", + "user", "_document_id", + "user_id", + "visibility", "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", "actor", - "actor_id", - "business", - "org", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "programmatic_access_type" ] }, { @@ -6726,36 +11780,21 @@ "description": "A GitHub Pages site was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "created_at", + "user_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "request_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "operation_type", + "repo_id", + "programmatic_access_type" ] }, { @@ -6763,36 +11802,22 @@ "description": "HTTPS redirects were disabled for a GitHub Pages site.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user", + "actor_id", + "repo_id", "_document_id", - "action", + "user_agent", "actor", - "actor_id", - "business", - "org", + "visibility", + "user_id", + "request_id", "repo", - "user", - "created_at", + "@timestamp", "operation_type", + "action", + "created_at", "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -6800,73 +11825,42 @@ "description": "HTTPS redirects were enabled for a GitHub Pages site.", "docs_reference_links": "N/A", "fields": [ + "request_id", "@timestamp", - "_document_id", - "action", + "user_agent", + "user_id", + "created_at", + "visibility", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" ] }, { "action": "repo.pages_private", "description": "A GitHub Pages site visibility was changed to private.", "docs_reference_links": "N/A", - "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -6874,36 +11868,22 @@ "description": "A GitHub Pages site visibility was changed to public.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -6911,36 +11891,18 @@ "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", + "visibility", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -6948,36 +11910,22 @@ "description": "A GitHub Pages site that was previously soft-deleted was restored.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "visibility", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -6985,54 +11933,91 @@ "description": "A GitHub Pages source was modified.", "docs_reference_links": "N/A", "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", "@timestamp", + "repo_id", + "user", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", + "request_id", + "visibility", "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "action", + "programmatic_access_type" ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -7040,48 +12025,74 @@ "description": "A Codespaces or Dependabot secret was deleted for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "key", + "integration", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "@timestamp", + "created_at", + "_document_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { @@ -7089,42 +12100,49 @@ "description": "A topic was removed from a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user", "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", "actor", - "actor_id", "business", - "org", + "request_id", "repo", - "user", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { @@ -7132,36 +12150,26 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "old_branch", + "new_branch", + "default_branch", "repo", + "repo_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "@timestamp", + "created_at", + "_document_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "token_scopes", + "programmatic_access_type", + "actor_is_bot" ] }, { @@ -7169,90 +12177,216 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "repo", "action", - "actor", + "_document_id", "actor_id", - "business", - "org", - "repo", "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" ] }, { "action": "repo.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "repo_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { @@ -7262,40 +12396,42 @@ "fields": [ "@timestamp", "_document_id", - "action", - "actor", + "user_agent", "actor_id", - "business", + "created_at", + "actor", + "repo_id", + "action", "org", + "org_id", + "request_id", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "operation_type" ] }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { @@ -7303,36 +12439,23 @@ "description": "A repository was transferred to another repository network.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -7342,83 +12465,94 @@ "fields": [ "@timestamp", "_document_id", + "operation_type", + "user_id", + "request_id", + "user", "action", + "user_agent", + "created_at", "actor", + "visibility", + "repo_id", "actor_id", - "business", - "org", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.update_actions_access_settings", "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", "docs_reference_links": "N/A", - "fields": [ - "@timestamp", - "_document_id", - "action", + "fields": [ + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", + "policy", + "old_policy", "repo", - "user", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "business", + "business_id" ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { @@ -7426,42 +12560,52 @@ "description": "A repository administrator changed GitHub Actions policy settings for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "actor_is_bot" ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -7469,36 +12613,23 @@ "description": "The default branch for a repository was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", "repo", + "repo_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "programmatic_access_type", + "actor_is_bot" ] }, { @@ -7506,36 +12637,26 @@ "description": "A Codespaces or Dependabot secret was updated for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "key", + "visibility", + "integration", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "@timestamp", + "created_at", + "_document_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "token_scopes", + "programmatic_access_type", + "request_access_security_header" ] }, { @@ -7543,42 +12664,56 @@ "description": "A user's permission to a repository was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", "action", + "_document_id", "actor", - "actor_id", - "business", - "org", - "repo", - "user", + "repo_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", "oauth_application_id", - "permission", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", "visibility", - "public_repo", - "key", - "name", - "owner", "old_permission", - "new_permission" + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" ] }, { "action": "repository_advisory.close", "description": "Someone closed a security advisory.", "docs_reference_links": "/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories", + "fields": [ + "actor", + "repo", + "@timestamp", + "business", + "business_id", + "user_agent", + "actor_id", + "request_id", + "action", + "operation_type", + "created_at", + "repo_id", + "_document_id", + "org", + "org_id", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories" }, { @@ -7586,19 +12721,19 @@ "description": "Someone requested a CVE (Common Vulnerabilities and Exposures) number from GitHub for a draft security advisory.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "repo_id", + "repo", + "org_id", "actor", - "actor_id", - "business", + "action", + "request_id", "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "user_agent", + "actor_id", + "_document_id", + "created_at" ] }, { @@ -7606,19 +12741,18 @@ "description": "GitHub made a security advisory public in the GitHub Advisory Database.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "public_repo" ] }, { @@ -7626,19 +12760,21 @@ "description": "GitHub withdrew a security advisory that was published in error.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -7646,19 +12782,18 @@ "description": "Someone opened a draft security advisory.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "operation_type", + "user_agent", "actor_id", - "business", - "org", + "actor", "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "repo_id", + "action", + "@timestamp", + "request_id", + "request_access_security_header" ] }, { @@ -7666,19 +12801,21 @@ "description": "Someone published a security advisory.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "user_agent", + "actor_id", "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "repo_id", + "_document_id", "repo", - "user", + "business_id", + "business", + "request_id", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id", + "org" ] }, { @@ -7686,19 +12823,18 @@ "description": "Someone reopened as draft security advisory.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "user_agent", + "repo", + "action", + "created_at", "@timestamp", + "request_id", + "actor_id", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "repo_id", + "public_repo" ] }, { @@ -7706,31 +12842,73 @@ "description": "Someone edited a draft or published security advisory.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", + "repo_id", + "org_id", "business", - "org", - "repo", - "user", + "actor", + "user_agent", "created_at", + "_document_id", + "business_id", + "repo", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "@timestamp", + "request_id" ] }, { "action": "repository_branch_protection_evaluation.disable", "description": "Branch protections were disabled for the repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_branch_protection_evaluation.enable", "description": "Branch protections were enabled for this repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { @@ -7738,19 +12916,26 @@ "description": "Code security was disabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "request_access_security_header", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { @@ -7758,37 +12943,95 @@ "description": "Code security was enabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "request_access_security_header", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { "action": "repository_content_analysis.disable", "description": "Data use settings were disabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "user", + "repo_id", + "request_id", + "actor_id", + "created_at", + "user_agent", + "action", + "operation_type", + "actor", + "repo", + "user_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_content_analysis.enable", "description": "Data use settings were enabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "user", + "org", + "user_id", + "repo_id", + "@timestamp", + "request_id", + "actor", + "action", + "operation_type", + "created_at", + "actor_id", + "repo", + "user_agent", + "org_id", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_dependency_graph.disable", "description": "The dependency graph was disabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-fea tures-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "repo_id", + "operation_type", + "user_id", + "repo", + "_document_id", + "actor", + "user", + "action", + "@timestamp", + "org_id", + "actor_id", + "org", + "created_at", + "user_agent", + "request_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-fea, tures-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { @@ -7796,19 +13039,25 @@ "description": "The dependency graph was enabled for a private repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", + "request_id", + "user", "org", + "org_id", + "action", "repo", - "user", + "user_id", "created_at", + "user_agent", + "actor_id", + "repo_id", "operation_type", + "actor", + "@timestamp", + "_document_id", + "public_repo", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -7816,19 +13065,21 @@ "description": "An image to represent a repository was uploaded.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", "action", + "request_id", "actor", - "actor_id", - "business", - "org", + "content_type", "repo", + "@timestamp", + "_document_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "request_access_security_header" ] }, { @@ -7836,19 +13087,21 @@ "description": "An image to represent a repository was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "repo_id", + "user_agent", "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "@timestamp", + "request_access_security_header" ] }, { @@ -7856,19 +13109,21 @@ "description": "An invitation to join a repository was accepted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "request_id", + "repo", + "invitee", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" ] }, { @@ -7876,19 +13131,20 @@ "description": "An invitation to join a repository was canceled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "inviter", "action", - "actor", - "actor_id", - "business", - "org", + "operation_type", + "_document_id", + "repo_id", "repo", - "user", + "@timestamp", + "user_agent", + "invitee", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "actor", + "actor_id", + "request_access_security_header" ] }, { @@ -7896,19 +13152,21 @@ "description": "An invitation to join a repository was sent.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", "repo", - "user", "created_at", + "user_agent", + "repo_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "programmatic_access_type" ] }, { @@ -7916,37 +13174,82 @@ "description": "An invitation to join a repository was declined.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "repo", "_document_id", - "action", "actor", + "invitee", + "action", + "@timestamp", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "inviter", + "user_agent", + "repo_id" ] }, { "action": "repository_limit.reached", "description": "An organization has reached their repository limit.", "docs_reference_links": "repositories/creating-and-managing-repositories/repository-limits", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "limit", + "count", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "repositories/creating-and-managing-repositories/repository-limits" }, { "action": "repository_limit.warning", "description": "An organization is approaching their repository limit.", "docs_reference_links": "repositories/creating-and-managing-repositories/repository-limits", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "limit", + "count", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "repositories/creating-and-managing-repositories/repository-limits" }, { "action": "repository_projects_change.clear", "description": "The repository projects policy was removed for an organization, or all organizations in the enterprise Organization owners can now control their repository projects settings.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise", + "fields": [ + "request_id", + "created_at", + "_document_id", + "action", + "user_agent", + "user", + "business_id", + "business", + "operation_type", + "actor", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { @@ -7954,19 +13257,20 @@ "description": "Repository projects were disabled for a repository, all repositories in an organization, or all organizations in an enterprise.", "docs_reference_links": "N/A", "fields": [ + "created_at", "@timestamp", - "_document_id", + "repo", "action", - "actor", + "operation_type", + "_document_id", "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "user_agent", + "repo_id", + "actor", + "request_id", + "programmatic_access_type" ] }, { @@ -7975,90 +13279,363 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", + "repo_id", "org", - "repo", + "request_id", "user", + "user_agent", "created_at", + "org_id", + "action", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "actor_id", + "repo" ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { "action": "repository_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning.disable", "description": "Secret scanning was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "public_repo", + "programmatic_access_type" + ], "docs_reference_titles": "About secret scanning" }, { @@ -8066,19 +13643,22 @@ "description": "Secret scanning was enabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "programmatic_access_type" ] }, { @@ -8086,19 +13666,24 @@ "description": "Generic secrets have been disabled at the repository level", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -8106,67 +13691,225 @@ "description": "Generic secrets have been enabled at the repository level", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { "action": "repository_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.disable", "description": "Secret scanning push protection was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.enable", "description": "Secret scanning push protection was enabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { @@ -8174,19 +13917,28 @@ "description": "A code security configuration was applied to a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -8194,19 +13946,27 @@ "description": "A code security configuration failed to attach to the repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_failure_reason", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -8214,19 +13974,28 @@ "description": "A code security configuration was removed from a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -8234,25 +14003,50 @@ "description": "A code security configuration was removed due to a change in repository or enterprise settings.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "repository_visibility_change.clear", "description": "The repository visibility change setting was cleared for an organization or enterprise.", "docs_reference_links": "/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-changes-to-repository-visibility", + "fields": [ + "created_at", + "_document_id", + "request_id", + "actor_id", + "business", + "action", + "operation_type", + "user", + "user_id", + "business_id", + "@timestamp", + "user_agent", + "actor", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization, Enforcing repository management policies in your enterprise" }, { @@ -8260,19 +14054,20 @@ "description": "The ability for enterprise members to update a repository's visibility was disabled. Members are unable to change repository visibilities in an organization, or all organizations in an enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user", + "org_id", + "created_at", + "user_agent", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "@timestamp", + "user_id", + "action", + "request_id", + "request_access_security_header" ] }, { @@ -8280,37 +14075,102 @@ "description": "The ability for enterprise members to update a repository's visibility was enabled. Members are able to change repository visibilities in an organization, or all organizations in an enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", + "operation_type", + "_document_id", + "@timestamp", + "user_agent", "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "org_id", + "action", + "actor_id", + "user_id", + "request_id" ] }, { "action": "repository_vulnerability_alert.auto_dismiss", "description": "A Dependabot alert was automatically dismissed because its metadata matches an enabled Dependabot rule.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "alert_id", + "alert_number", + "ghsa_id", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "request_access_security_header" + ], "docs_reference_titles": "About Dependabot auto-triage rules" }, { "action": "repository_vulnerability_alert.auto_reopen", "description": "A previously auto-dismissed Dependabot alert was automatically reopened because its metadata no longer matches an enabled Dependabot rule.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "alert_id", + "alert_number", + "ghsa_id", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "request_access_security_header" + ], "docs_reference_titles": "About Dependabot auto-triage rules" }, { "action": "repository_vulnerability_alert.create", "description": "GitHub created a Dependabot alert because the repository uses a vulnerable dependency.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", + "fields": [ + "operation_type", + "request_id", + "repo_id", + "@timestamp", + "user_agent", + "alert_id", + "action", + "repo", + "created_at", + "_document_id", + "token_scopes", + "alert_number", + "programmatic_access_type" + ], "docs_reference_titles": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts" }, { @@ -8318,19 +14178,26 @@ "description": "A Dependabot alert was manually dismissed.", "docs_reference_links": "N/A", "fields": [ + "repo_id", + "org_id", + "user_id", + "request_id", "@timestamp", + "operation_type", + "user_agent", + "alert_id", + "actor", + "repo", + "created_at", + "org", "_document_id", "action", - "actor", "actor_id", - "business", - "org", - "repo", + "dismiss_reason", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "dismiss_comment", + "alert_number", + "actor_is_bot" ] }, { @@ -8338,19 +14205,22 @@ "description": "A Dependabot alert was automatically reopened because the repository resumed use of a vulnerable dependency.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "alert_id", "created_at", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "_document_id", + "@timestamp", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "alert_number" ] }, { @@ -8358,19 +14228,26 @@ "description": "A Dependabot alert was manually reopened.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "alert_id", "created_at", + "action", + "repo", + "repo_id", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "public_repo", + "alert_number", + "request_access_security_header" ] }, { @@ -8378,19 +14255,21 @@ "description": "Changes were pushed to update and resolve a Dependabot alert in a project dependency.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "alert_id", + "repo", + "operation_type", "action", + "repo_id", + "_document_id", + "user_agent", + "request_id", + "@timestamp", + "created_at", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "alert_number", + "programmatic_access_type" ] }, { @@ -8398,25 +14277,44 @@ "description": "A Dependabot alert was withdrawn.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "alert_id", + "alert_number", + "ghsa_id", + "created_at", + "active", "action", - "actor", - "actor_id", - "business", - "org", + "repository_id", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "operation_type" ] }, { "action": "repository_vulnerability_alerts.authorized_users_teams", "description": "The list of people or teams authorized to receive Dependabot alerts for the repository was updated.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts", + "fields": [ + "org", + "_document_id", + "repo", + "org_id", + "operation_type", + "created_at", + "actor", + "action", + "@timestamp", + "user_agent", + "repo_id", + "request_id", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts" }, { @@ -8424,19 +14322,24 @@ "description": "Automatic dismissal of low-impact Dependabot alerts was disabled for the repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -8444,19 +14347,26 @@ "description": "Automatic dismissal of low-impact Dependabot alerts was enabled for the repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -8464,19 +14374,23 @@ "description": "Dependabot alerts was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "repo", + "request_id", + "repo_id", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", + "@timestamp", "created_at", + "actor", + "user_agent", + "org_id", + "user", + "org", + "_document_id", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "programmatic_access_type" ] }, { @@ -8484,73 +14398,235 @@ "description": "Dependabot alerts was enabled.", "docs_reference_links": "N/A", "fields": [ + "actor", + "user_agent", + "created_at", "@timestamp", - "_document_id", + "repo_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "repo", + "org", + "org_id", + "actor_id", + "_document_id", + "user_id", "operation_type", + "request_id", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "required_status_check.create", "description": "A status check was marked as required for a protected branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "fields": [ + "org", + "actor_id", + "@timestamp", + "business", + "request_id", + "context", + "repo_id", + "action", + "repo", + "_document_id", + "operation_type", + "business_id", + "org_id", + "actor", + "created_at", + "user_agent", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging" }, { "action": "required_status_check.destroy", "description": "A status check was no longer marked as required for a protected branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "fields": [ + "actor_id", + "actor", + "created_at", + "context", + "operation_type", + "@timestamp", + "request_id", + "org", + "user_agent", + "repo_id", + "org_id", + "action", + "_document_id", + "repo", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging" }, { "action": "restrict_notification_delivery.disable", "description": "Email notification restrictions for an organization or enterprise were disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "restrict_notification_delivery.enable", "description": "Email notification restrictions for an organization or enterprise were enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "role.create", "description": "A new custom repository role was created.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "owner", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "role_permissions", + "old_role_permissions" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "role.destroy", "description": "A custom repository role was deleted.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "role.update", "description": "A custom repository role was edited.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "old_role_permissions", + "old_base_role" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "secret_scanning_alert.create", "description": "GitHub detected a secret and created a secret scanning alert.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning_alert.public_leak", "description": "A secret scanning alert was leaked in a public repo.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "created_at" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { @@ -8558,25 +14634,45 @@ "description": "A secret scanning alert was reopened.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "number", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "secret_type_display_name" ] }, { "action": "secret_scanning_alert.report", "description": "A leaked secret was reported to the secret's provider by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "created_at", + "secret_type_display_name", + "secret_type_provider", + "report_result" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts" }, { @@ -8584,19 +14680,28 @@ "description": "A secret scanning alert was resolved.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "number", + "resolution", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_access_security_header" ] }, { @@ -8604,25 +14709,49 @@ "description": "A secret scanning alert was revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "number", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { "action": "secret_scanning_alert.validate", "description": "A secret scanning alert was validated.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "previous_validity", + "current_validity", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { @@ -8630,31 +14759,85 @@ "description": "A request to close a secret scanning alert was approved by a user.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "request_reviewer_comment", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { "action": "secret_scanning_closure_request.cancel", "description": "N/A", "docs_reference_links": "A reqeust to close a secret scanning alert was canceled by a user.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "A, reqeust, to, close, a, secret, scanning, alert, was, canceled, by, a, user." }, { "action": "secret_scanning_closure_request.create", "description": "N/A", "docs_reference_links": "A user requested to close a secret scanning alert.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "reason", + "comment", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "A, user, requested, to, close, a, secret, scanning, alert." }, { @@ -8662,85 +14845,302 @@ "description": "A request to close a secret scanning alert was denied by a user.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "request_reviewer_comment", + "repo", + "repo_id", + "public_repo", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { "action": "secret_scanning.disable", "description": "Secret scanning was disabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning.enable", "description": "Secret scanning was enabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.disable", "description": "Secret scanning was disabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.enable", "description": "Secret scanning was enabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_push_protection.bypass", "description": "Triggered when a user bypasses the push protection on a secret detected by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#bypassing-push-protection-for-a-secret", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "push_protection_bypass_reason", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_reviewer", + "request_reviewer_id" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.approve", "description": "A request to bypass secret scanning push protection was approved by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.cancel", "description": "A user canceled a request to bypass secret scanning push protection.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "secret_scanning_push_protection_request.complete", "description": "A user pushed a commit containing a secret for which there is an approved secret scanning push protection bypass request.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "secret_scanning_push_protection_request.deny", "description": "A request to bypass secret scanning push protection was denied by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header", + "request_reviewer_comment" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.request", "description": "A user requested to bypass secret scanning push protection.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "secret_scanning_scan.completed", "description": "A secret scanning scan has completed on this repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "repo_id", + "org_id", + "business_id", + "source", + "type", + "source_slug", + "type_slug", + "started_at", + "completed_at", + "repo", + "public_repo", + "org", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "secret_types", + "custom_pattern_name", + "custom_pattern_scope" + ], "docs_reference_titles": "About secret scanning" }, { @@ -8748,19 +15148,42 @@ "description": "A security configuration was created", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" ] }, { @@ -8768,19 +15191,23 @@ "description": "A default security configuration setting for new repositories was removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { @@ -8788,19 +15215,23 @@ "description": "A default security configuration setting for new repositories was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { @@ -8808,19 +15239,41 @@ "description": "A security configuration was deleted", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" ] }, { @@ -8828,19 +15281,17 @@ "description": "A security configuration policy was updated", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "enforcement", + "security_configuration_name", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -8848,19 +15299,42 @@ "description": "A security configuration was updated", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" ] }, { @@ -8868,25 +15342,38 @@ "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { @@ -8894,73 +15381,185 @@ "description": "The fiscal host for a GitHub Sponsors listing was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "sponsors.invoiced_agreement_sign", "description": "An agreement for invoiced billing for GitHub Sponsors was signed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/paying-for-github-sponsors-by-invoice", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/paying-for-github-sponsors-by-invoice" }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { @@ -8968,25 +15567,36 @@ "description": "A GitHub Sponsors account was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "sponsors_listing_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { @@ -8995,42 +15605,96 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", - "_document_id", + "created_at", + "request_id", + "user", "action", + "user_agent", + "operation_type", + "_document_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id" ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { @@ -9038,19 +15702,20 @@ "description": "A GitHub Sponsors tier changed access for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -9058,19 +15723,18 @@ "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -9078,43 +15742,104 @@ "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "ssh_certificate_authority.create", "description": "An SSH certificate authority for an organization or enterprise was created.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "@timestamp", + "_document_id", + "fingerprint", + "operation_type", + "openssh_public_key", + "org_id", + "actor", + "created_at", + "org", + "action", + "user_agent", + "actor_id", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_authority.destroy", "description": "An SSH certificate authority for an organization or enterprise was deleted.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "created_at", + "_document_id", + "fingerprint", + "operation_type", + "actor", + "org_id", + "openssh_public_key", + "org", + "action", + "user_agent", + "actor_id", + "@timestamp", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.disable", "description": "The requirement for members to use SSH certificates to access an organization resources was disabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "user", + "user_agent", + "operation_type", + "_document_id", + "request_id", + "org", + "org_id", + "created_at", + "actor", + "action", + "user_id", + "business", + "business_id", + "@timestamp", + "actor_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.enable", "description": "The requirement for members to use SSH certificates to access an organization resources was enabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "actor_id", + "user_id", + "org", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user", + "action", + "org_id", + "created_at", + "user_agent" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { @@ -9122,19 +15847,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "public_repo" ] }, { @@ -9142,19 +15866,20 @@ "description": "The verification code expiry time for an organization or enterprise domain was set.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "owner_type", + "domain_name", + "business_id", + "token_expires_at", + "owner", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -9162,19 +15887,18 @@ "description": "An organization or enterprise domain was unverified.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "owner_type", + "domain_name", + "owner", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { @@ -9182,25 +15906,39 @@ "description": "An organization or enterprise domain was verified.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "domain_name", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "team.add_member", "description": "A member of an organization was added to a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team", + "fields": [ + "user_agent", + "request_id", + "org_id", + "user_id", + "team", + "user", + "@timestamp", + "actor_id", + "created_at", + "operation_type", + "_document_id", + "org", + "action", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team" }, { @@ -9208,31 +15946,65 @@ "description": "A team was given access and permissions to a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", + "team", + "action", + "operation_type", + "request_id", + "created_at", + "@timestamp", "org", "repo", - "user", - "created_at", - "operation_type", + "actor_id", + "_document_id", + "repo_id", + "user_agent", + "org_id", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "team.change_parent_team", "description": "A child team was created or a child team's parent was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy", + "fields": [ + "org", + "@timestamp", + "created_at", + "_document_id", + "team", + "action", + "operation_type", + "actor", + "request_id", + "actor_id", + "user_agent", + "org_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy" }, { "action": "team.change_privacy", "description": "A team's privacy level was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/changing-team-visibility", + "fields": [ + "user_agent", + "request_id", + "org", + "action", + "team", + "created_at", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "actor", + "_document_id" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility" }, { @@ -9240,25 +16012,44 @@ "description": "A new team is created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "request_id", "actor_id", - "business", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "org_id", + "user_agent", + "team", "org", - "repo", - "user", + "actor", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "token_scopes", + "programmatic_access_type" ] }, { "action": "team.demote_maintainer", "description": "A user was demoted from a team maintainer to a team member.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member" }, { @@ -9266,19 +16057,19 @@ "description": "A team was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "org", + "team", + "org_id", + "actor_id", + "actor", + "action", + "@timestamp", + "user_agent", + "request_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "programmatic_access_type" ] }, { @@ -9286,25 +16077,40 @@ "description": "An organization owner cleared the setting to allow team discussions for an organization or enterprise.", "docs_reference_links": "N/A", "fields": [ + "business_id", + "operation_type", "@timestamp", - "_document_id", - "action", + "user_agent", "actor", "actor_id", - "business", - "org", - "repo", "user", + "business", + "action", + "request_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "_document_id" ] }, { "action": "team_discussions.disable", "description": "Team discussions were disabled for an organization.", "docs_reference_links": "/organizations/organizing-members-into-teams/disabling-team-discussions-for-your-organization", + "fields": [ + "org_id", + "action", + "operation_type", + "request_id", + "actor", + "org", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "_document_id" + ], "docs_reference_titles": "Organizations and teams documentation" }, { @@ -9312,19 +16118,19 @@ "description": "Team discussions were enabled for an organization.", "docs_reference_links": "N/A", "fields": [ + "actor_id", "@timestamp", - "_document_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "_document_id", + "user_agent", + "user_id", + "business_id", + "request_id", "user", - "created_at", + "business", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "created_at" ] }, { @@ -9332,19 +16138,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "created_at", "actor", + "action", + "operation_type", + "team", + "@timestamp", "actor_id", - "business", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "org_id", + "user_agent", + "request_id", + "request_access_security_header" ] }, { @@ -9352,19 +16158,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "operation_type", "@timestamp", + "actor_id", "_document_id", + "team", + "created_at", + "org_id", "action", + "request_id", + "user_agent", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -9372,31 +16178,70 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "team", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "team.promote_maintainer", "description": "A user was promoted from a team member to a team maintainer.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer" }, { "action": "team.remove_member", "description": "An organization member was removed from a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team", + "fields": [ + "request_id", + "operation_type", + "created_at", + "actor_id", + "org", + "org_id", + "team", + "user_id", + "actor", + "user", + "action", + "@timestamp", + "user_agent", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team" }, { @@ -9404,19 +16249,21 @@ "description": "A repository was removed from a team's control.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "request_id", + "org_id", + "repo", + "repo_id", "action", + "_document_id", "actor", + "@timestamp", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", "created_at", + "team", + "org", "operation_type", - "programmatic_access_type", - "token_scopes" + "programmatic_access_type" ] }, { @@ -9424,31 +16271,61 @@ "description": "A team's name was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", + "name", + "user_agent", "created_at", + "team", "operation_type", + "actor_id", + "org", + "action", + "request_id", + "actor", + "org_id", + "@timestamp", + "_document_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "team_sync_tenant.disabled", "description": "Team synchronization with a tenant was disabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "action", + "created_at", + "actor", + "request_id", + "org_id", + "actor_id", + "operation_type", + "_document_id", + "@timestamp", + "org", + "user_agent" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team_sync_tenant.enabled", "description": "Team synchronization with a tenant was enabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "org_id", + "business_id", + "actor", + "created_at", + "user_agent", + "@timestamp", + "operation_type", + "business", + "actor_id", + "org", + "request_id", + "action", + "_document_id" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { @@ -9456,19 +16333,19 @@ "description": "The Okta credentials for team synchronization with a tenant were changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" ] }, { @@ -9476,19 +16353,28 @@ "description": "A team's permission to a repository was changed.", "docs_reference_links": "N/A", "fields": [ + "actor_id", + "team", + "org_id", "@timestamp", + "org", "_document_id", + "old_permission", + "request_id", + "repo", "action", + "repo_id", "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "user_agent", + "permission", + "new_repo_permission", + "new_repo_base_role", + "old_repo_permission", + "old_repo_base_role", + "token_scopes", + "programmatic_access_type" ] }, { @@ -9496,19 +16382,18 @@ "description": "A Dependabot rule was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -9516,19 +16401,18 @@ "description": "A Dependabot rule was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -9536,19 +16420,20 @@ "description": "A Dependabot rule was disabled for a single repository or disabled by default for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", "repo", - "user", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -9556,19 +16441,21 @@ "description": "A Dependabot rule was enabled for a single repository or enabled by default for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", "repo", - "user", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -9576,19 +16463,21 @@ "description": "A Dependabot rule was enabled for an organization and cannot be disabled for its repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", "org", - "repo", - "user", + "org_id", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -9596,19 +16485,21 @@ "description": "A Dependabot rule was disabled for an organization and cannot be enabled for its repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", "org", - "repo", - "user", + "org_id", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -9616,25 +16507,47 @@ "description": "A Dependabot rule's conditions, actions, or metadata changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { @@ -9642,25 +16555,59 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "workflows.cancel_workflow_run", "description": "A workflow run was cancelled.", "docs_reference_links": "/actions/managing-workflow-runs/canceling-a-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "cancelled_at", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Canceling a workflow" }, { @@ -9668,37 +16615,122 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", + "workflow_run_id", + "run_number", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "workflows.completed_workflow_run", "description": "A workflow status changed to completed. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "completed_at", + "conclusion", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Viewing workflow run history" }, { "action": "workflows.created_workflow_run", "description": "A workflow run was create. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/learn-github-actions/understanding-github-actions#create-an-example-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Understanding GitHub Actions" }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { @@ -9706,19 +16738,22 @@ "description": "A workflow was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "workflow_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -9726,19 +16761,21 @@ "description": "A workflow was enabled, after previously being disabled by disable_workflow.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "workflow_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -9746,37 +16783,118 @@ "description": "A workflow was pinned.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { "action": "workflows.prepared_workflow_job", "description": "A workflow job was started. Includes the list of secrets that were provided to the job. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/using-workflows/events-that-trigger-workflows", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "business_id", + "business", + "workflow_run_id", + "job_name", + "runner_labels", + "is_hosted_runner", + "environment_name", + "secrets_passed", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp", + "runner_owner_type", + "job_workflow_ref", + "calling_workflow_refs", + "calling_workflow_shas", + "imposer_repo" + ], "docs_reference_titles": "Events that trigger workflows" }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.rerun_workflow_run", "description": "A workflow run was re-run.", "docs_reference_links": "/actions/managing-workflow-runs/re-running-workflows-and-jobs", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "rerun_type", + "check_run_id", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Re-running workflows and jobs" }, { @@ -9784,19 +16902,25 @@ "description": "A workflow was unpinned after previously being pinned.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/fpt/user.json b/src/audit-logs/data/fpt/user.json index fd1419921d57..1fd12e5753ec 100644 --- a/src/audit-logs/data/fpt/user.json +++ b/src/audit-logs/data/fpt/user.json @@ -4,25 +4,37 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "org", "@timestamp", + "operation_type", + "user_agent", "_document_id", + "created_at", "action", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id" ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { @@ -30,19 +42,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "actor_id", + "action", + "request_id", "@timestamp", + "user_agent", + "created_at", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "token_id", + "user_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "operation_type" ] }, { @@ -50,19 +61,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", + "created_at", + "token_id", + "user", + "request_id", + "_document_id", + "user_agent", "actor", + "user_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp" ] }, { @@ -70,19 +80,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "user", "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "actor", + "user_agent", + "request_id", + "action", + "_document_id", + "user_id", + "token_id" ] }, { @@ -90,19 +99,29 @@ "description": "A GitHub Actions cache was deleted using the REST API.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "oauth_application_id", + "user_id", "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -110,31 +129,58 @@ "description": "A workflow run artifact was manually deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", "actor", + "user_agent", "actor_id", - "business", - "org", "repo", - "user", + "repo_id", + "request_id", + "@timestamp", "created_at", + "_document_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "programmatic_access_type" ] }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { @@ -142,19 +188,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "oauth_application_id", "@timestamp", + "actor_id", + "operation_type", "_document_id", - "action", + "request_id", "actor", - "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "user_agent", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action" ] }, { @@ -162,19 +207,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" ] }, { @@ -182,19 +226,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -202,19 +244,26 @@ "description": "A CSV export was requested on the \"CodeQL pull request alerts\" page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", + "business_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -222,19 +271,24 @@ "description": "A CSV export was requested on the \"Coverage\" page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", + "business_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -242,19 +296,26 @@ "description": "A CSV export was requested on the \"Overview Dashboard\" page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", + "business_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -262,87 +323,215 @@ "description": "A CSV export was requested on the \"Risk\" page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", + "business_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "business.set_actions_fork_pr_approvals_policy", "description": "The policy for requiring approvals for workflows from public forks was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "limit", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_fork_pr_workflows_policy", "description": "The policy for fork pull request workflows was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", - "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" - }, - { - "action": "checks.delete_logs", - "description": "Logs in a check suite were deleted.", - "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", "repo", + "repo_id", "user", + "user_id", + "action", + "operation_type", + "@timestamp", "created_at", + "_document_id", + "public_repo" + ], + "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" + }, + { + "action": "checks.delete_logs", + "description": "Logs in a check suite were deleted.", + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "actor_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" ] }, { @@ -350,19 +539,16 @@ "description": "A codespace using custom permissions from its devcontainer.json file was launched.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "origin_repository", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -370,31 +556,79 @@ "description": "Credentials for a codespace were refreshed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "machine_type", + "devcontainer_path" ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { @@ -402,19 +636,18 @@ "description": "A codespace was exported to a branch on GitHub.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "public_repo" ] }, { @@ -422,19 +655,19 @@ "description": "A codespace was restored.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "owner", "repo", - "user", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -442,19 +675,27 @@ "description": "A codespace was started.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "name", "org", - "repo", + "owner", + "pull_request_id", + "machine_type", + "user_id", "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -462,25 +703,39 @@ "description": "A codespace was stopped.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "owner", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { @@ -488,25 +743,41 @@ "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { @@ -514,19 +785,24 @@ "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", + "token_id", + "token_scopes", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -534,19 +810,17 @@ "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -554,19 +828,20 @@ "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -574,19 +849,19 @@ "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "seat_assignment", + "request_access_security_header" ] }, { @@ -594,19 +869,21 @@ "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "user_id", "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -614,19 +891,22 @@ "description": "Specific repositories were disabled from using Copilot coding agent.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "org_id", + "owner_type", "actor_id", - "business", - "org", + "owner", "repo", - "user", + "repo_id", + "public_repo", + "org", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -634,19 +914,23 @@ "description": "Specific repositories were enabled to use Copilot coding agent.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "request_access_security_header", + "org_id", + "owner_type", + "owner", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "repo_id", + "public_repo", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" ] }, { @@ -654,19 +938,22 @@ "description": "Copilot coding agent access was updated for the organization's or user's repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", + "new_access", + "old_access", + "org_id", + "owner_type", + "owner", "org", - "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -674,19 +961,23 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "runner_group_id", "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -694,19 +985,21 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -714,43 +1007,107 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "runner_group_id", "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { @@ -758,25 +1115,38 @@ "description": "The repositories that Dependabot can access were updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -784,25 +1154,40 @@ "description": "Dependabot security updates were enabled for all existing repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -810,25 +1195,40 @@ "description": "Dependabot security updates were enabled for all new repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -836,25 +1236,40 @@ "description": "The dependency graph was enabled for all existing repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -862,25 +1277,44 @@ "description": "The dependency graph was enabled for all new repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "request_access_security_header" ] }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { @@ -888,73 +1322,259 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "environment_name", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", - "docs_reference_titles": "Store information in variables" - }, - { - "action": "environment.delete", - "description": "An environment was deleted.", - "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", - "docs_reference_titles": "Managing environments for deployment" - }, - { - "action": "environment.remove_actions_secret", - "description": "A secret was deleted for a GitHub Actions environment.", - "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Store information in variables" + }, + { + "action": "environment.delete", + "description": "An environment was deleted.", + "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Managing environments for deployment" + }, + { + "action": "environment.remove_actions_secret", + "description": "A secret was deleted for a GitHub Actions environment.", + "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { @@ -962,19 +1582,21 @@ "description": "A gist was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "request_id", + "user_id", "user", + "gist_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "actor", + "actor_id", + "visibility", + "action", + "_document_id", + "token_scopes", + "programmatic_access_type" ] }, { @@ -982,19 +1604,20 @@ "description": "A gist was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user_id", + "gist_id", + "visibility", + "created_at", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "request_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "actor_id", + "action", + "user_agent", + "@timestamp", + "programmatic_access_type" ] }, { @@ -1002,31 +1625,70 @@ "description": "The visibility of a gist was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", + "operation_type", + "@timestamp", + "user_agent", "actor", - "actor_id", - "business", - "org", - "repo", "user", + "gist_id", + "actor_id", + "request_id", + "visibility", + "user_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "token_scopes", + "programmatic_access_type" ] }, { "action": "git_signing_ssh_public_key.create", "description": "An SSH key was added to a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "git_signing_ssh_public_key.delete", "description": "An SSH key was removed from a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "explanation", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { @@ -1034,19 +1696,23 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -1054,19 +1720,21 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -1074,19 +1742,22 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -1094,19 +1765,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user_id", + "@timestamp", + "user", "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "actor", + "action", + "user_agent", + "request_access_security_header" ] }, { @@ -1114,19 +1784,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_id", + "operation_type", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "user_agent", + "@timestamp", + "request_access_security_header" ] }, { @@ -1134,19 +1803,25 @@ "description": "A hook's active status was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "programmatic_access_type" ] }, { @@ -1154,25 +1829,53 @@ "description": "A hook's configuration was changed.", "docs_reference_links": "N/A", "fields": [ + "actor_id", + "operation_type", "@timestamp", "_document_id", - "action", "actor", - "actor_id", - "business", + "name", "org", + "user_agent", + "request_id", + "hook_id", "repo", - "user", + "repo_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { @@ -1180,19 +1883,25 @@ "description": "A hook was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "events", "repo", - "user", "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" ] }, { @@ -1200,19 +1909,26 @@ "description": "A hook's configured events were changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "events", "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" ] }, { @@ -1220,19 +1936,22 @@ "description": "A GitHub App was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user", "action", + "operation_type", + "@timestamp", "actor", + "user_agent", "actor_id", - "business", - "org", - "repo", - "user", + "request_id", + "name", + "user_id", + "_document_id", + "integration", "created_at", - "operation_type", "programmatic_access_type", - "token_scopes" + "request_access_security_header", + "application_client_id" ] }, { @@ -1240,19 +1959,19 @@ "description": "A GitHub App was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "user_id", "actor_id", - "business", - "org", - "repo", + "request_id", + "@timestamp", + "name", + "integration", "user", - "created_at", + "_document_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "user_agent" ] }, { @@ -1260,73 +1979,234 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", + "name", + "integration", "business", - "org", - "repo", - "user", - "created_at", + "business_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header", + "application_client_id" ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { @@ -1334,19 +2214,20 @@ "description": "A client secret for a GitHub App was removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "integration", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" ] }, { @@ -1354,19 +2235,20 @@ "description": "All user tokens for a GitHub App were requested to be revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "integration", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "application_client_id" ] }, { @@ -1374,37 +2256,93 @@ "description": "Token(s) for a GitHub App were revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "integration", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "application_client_id" ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", - "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" - }, - { - "action": "integration.unsuspend", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], + "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" + }, + { + "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { @@ -1412,19 +2350,18 @@ "description": "The GitHub Marketplace Developer Agreement was signed.", "docs_reference_links": "N/A", "fields": [ + "request_id", + "actor", + "actor_id", "@timestamp", "_document_id", + "user_agent", + "operation_type", + "created_at", "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "request_access_security_header" ] }, { @@ -1432,19 +2369,21 @@ "description": "A listing was approved for inclusion in GitHub Marketplace.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "secondary_category", "actor", - "actor_id", - "business", - "org", - "repo", + "primary_category", "user", - "created_at", + "@timestamp", + "_document_id", + "user_id", + "user_agent", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" ] }, { @@ -1452,19 +2391,21 @@ "description": "A category for a listing for an app in GitHub Marketplace was changed.", "docs_reference_links": "N/A", "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", "@timestamp", - "_document_id", + "integration", + "org_id", "action", - "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "secondary_category", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "actor_id", + "_document_id" ] }, { @@ -1472,19 +2413,22 @@ "description": "A listing for an app in GitHub Marketplace was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "primary_category", "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp" ] }, { @@ -1492,19 +2436,21 @@ "description": "A listing was removed from GitHub Marketplace.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "org", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "org_id", "created_at", + "secondary_category", "operation_type", - "programmatic_access_type", - "token_scopes" + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" ] }, { @@ -1513,18 +2459,21 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "actor", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "marketplace_listing", + "has_free_trial", + "user_agent", + "request_id", + "actor_id", + "yearly_price_in_cents", + "description", + "bullets", + "monthly_price_in_cents", + "marketplace_listing_plan", + "_document_id" ] }, { @@ -1532,19 +2481,22 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "marketplace_listing_plan", + "marketplace_listing", + "description", + "bullets", + "has_free_trial", + "created_at", + "actor_id", + "operation_type", "_document_id", "action", + "user_agent", + "request_id", "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "monthly_price_in_cents", + "yearly_price_in_cents", + "@timestamp" ] }, { @@ -1552,19 +2504,22 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", - "user", + "marketplace_listing_plan", + "_document_id", + "request_id", + "description", + "yearly_price_in_cents", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_id", + "bullets", + "has_free_trial", + "marketplace_listing", + "user_agent", + "monthly_price_in_cents", + "action", + "operation_type" ] }, { @@ -1572,19 +2527,22 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "monthly_price_in_cents", + "marketplace_listing", "_document_id", "action", - "actor", + "description", + "bullets", + "yearly_price_in_cents", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "has_free_trial", + "marketplace_listing_plan", + "user_agent", + "@timestamp", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "created_at" ] }, { @@ -1592,19 +2550,22 @@ "description": "A listing was sent back to draft state.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" ] }, { @@ -1612,19 +2573,22 @@ "description": "A listing was not accepted for inclusion in GitHub Marketplace.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -1632,19 +2596,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -1652,19 +2616,23 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -1672,19 +2640,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -1692,19 +2659,20 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -1712,19 +2680,14 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "user", "@timestamp", "_document_id", + "user_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_access_security_header" ] }, { @@ -1732,19 +2695,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" ] }, { @@ -1752,51 +2715,88 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", + "action", "org", - "repo", - "user", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" - ] - }, + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" + ] + }, { "action": "migration.create", "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "repo", + "org_id", "_document_id", + "org", + "repo_id", "action", "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { "action": "oauth_access.create", "description": "An OAuth access token was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, /authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token", + "fields": [ + "_document_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "user", + "user_id", + "created_at", + "action", + "actor_id", + "request_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, Managing your personal access tokens" }, { "action": "oauth_access.destroy", "description": "An OAuth access token was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps", + "fields": [ + "@timestamp", + "user_agent", + "action", + "operation_type", + "_document_id", + "actor", + "created_at", + "user", + "user_id", + "request_id", + "explanation", + "hashed_token", + "actor_id", + "token_scopes", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps" }, { @@ -1804,19 +2804,20 @@ "description": "An OAuth access token was regenerated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user", + "user_id", "_document_id", + "created_at", + "@timestamp", + "operation_type", "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", + "token_scopes", "programmatic_access_type", - "token_scopes" + "oauth_application_name" ] }, { @@ -1824,19 +2825,18 @@ "description": "An OAuth access token was revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "request_id", + "request_access_security_header", + "hashed_token", + "token_id", + "token_scopes", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -1844,85 +2844,266 @@ "description": "An OAuth access token was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "request_id", + "actor_id", + "actor", + "operation_type", "_document_id", + "user_id", + "created_at", "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "@timestamp", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "request_access_security_header" ] }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.generate_client_secret", "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_authorization.create", "description": "An authorization for an OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "operation_type", + "user_agent", + "user_id", + "actor", + "org_id", + "_document_id", + "request_id", + "action", + "@timestamp", + "created_at", + "actor_id", + "user", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_authorization.destroy", "description": "An authorization for an OAuth application was deleted.", "docs_reference_links": "/apps/using-github-apps/reviewing-your-authorized-integrations", + "fields": [ + "user_agent", + "_document_id", + "request_id", + "operation_type", + "@timestamp", + "actor", + "created_at", + "explanation", + "user", + "user_id", + "org_id", + "action", + "actor_id", + "token_scopes", + "actor_is_bot", + "oauth_application_name" + ], "docs_reference_titles": "Reviewing and revoking authorization of GitHub Apps" }, { "action": "oauth_authorization.update", "description": "An authorization for an OAuth application was updated.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "org_id", + "request_id", + "user_id", + "actor", + "actor_id", + "user_agent", + "@timestamp", + "operation_type", + "action", + "user", + "created_at", + "_document_id", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { @@ -1930,19 +3111,22 @@ "description": "A user joined an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "permission", "_document_id", - "action", - "actor", - "actor_id", - "business", "org", - "repo", + "operation_type", + "request_id", + "actor", "user", + "@timestamp", "created_at", - "operation_type", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -1950,19 +3134,24 @@ "description": "An outside collaborator was added to a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "inviter", "org", + "org_id", "repo", - "user", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -1970,18 +3159,19 @@ "description": "GitHub Advanced Security was disabled for new repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", "token_scopes" ] }, @@ -1990,18 +3180,21 @@ "description": "GitHub Advanced Security was disabled for all repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", "token_scopes" ] }, @@ -2010,38 +3203,42 @@ "description": "GitHub Advanced Security was enabled for new repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" - ] - }, + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] + }, { "action": "org.advanced_security_enabled_on_all_repos", "description": "GitHub Advanced Security was enabled for all repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", "token_scopes" ] }, @@ -2050,19 +3247,21 @@ "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", - "action", - "actor", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", "created_at", + "user", "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id", + "org", + "token_scopes", + "programmatic_access_type" ] }, { @@ -2070,19 +3269,27 @@ "description": "A CSV export was requested on the CodeQL pull request alerts page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { @@ -2090,19 +3297,26 @@ "description": "A CSV export was requested on the Coverage page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -2110,19 +3324,28 @@ "description": "A CSV export was requested on the Overview Dashboard page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -2130,55 +3353,148 @@ "description": "A CSV export was requested on the Risk page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { @@ -2187,18 +3503,20 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", + "org_id", + "created_at", "_document_id", + "user", + "user_id", "action", - "actor", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "old_permission", + "permission", + "actor", + "user_agent", "operation_type", - "programmatic_access_type", - "token_scopes" + "org" ] }, { @@ -2206,43 +3524,106 @@ "description": "The create repository permission for organization members was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "action", + "@timestamp", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", + "permission", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { @@ -2250,19 +3631,19 @@ "description": "A new passkey was added.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "nickname", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2270,19 +3651,19 @@ "description": "A new passkey was removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "nickname", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2290,19 +3671,18 @@ "description": "A new payment method was added, such as a new credit card or PayPal account.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", "_document_id", "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2310,19 +3690,16 @@ "description": "A payment method was removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "_document_id", + "request_access_security_header" ] }, { @@ -2330,31 +3707,62 @@ "description": "An existing payment method was updated.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", "@timestamp", - "_document_id", "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "_document_id", + "request_access_security_header" ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { @@ -2362,19 +3770,19 @@ "description": "Triggered when you create a fine-grained personal access token.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "user_programmatic_access_name", "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2382,25 +3790,35 @@ "description": "Triggered when you regenerate a fine-grained personal access token.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "user_programmatic_access_name", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "personal_access_token.credential_revoked", "description": "A fine-grained personal access token was revoked by GitHub Advanced Security.", "docs_reference_links": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users", + "fields": [ + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users" }, { @@ -2408,19 +3826,20 @@ "description": "Triggered when you delete a fine-grained personal access token.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "user_programmatic_access_name", "user", + "user_id", + "explanation", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2428,37 +3847,86 @@ "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "user_programmatic_access_name", "org", - "repo", - "user", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_programmatic_access_request_id" ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.update", "description": "A fine-grained personal access token was updated.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens" }, { @@ -2466,19 +3934,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2486,19 +3952,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2506,19 +3972,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2526,19 +3990,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2546,19 +4010,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2566,19 +4030,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2586,25 +4050,39 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { @@ -2612,25 +4090,40 @@ "description": "A project board visibility was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", + "actor", + "user_agent", + "operation_type", "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { @@ -2638,19 +4131,25 @@ "description": "A collaborator was added to a project.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "collaborator_type", "org", - "repo", - "user", + "org_id", + "collaborator", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "public_project", + "project_name", + "project_role", + "old_project_role", + "request_access_security_header" ] }, { @@ -2658,19 +4157,20 @@ "description": "A collaborator was removed from a project.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "collaborator_type", "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2678,19 +4178,25 @@ "description": "A project collaborator's permission level was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "public_project", + "project_name", + "collaborator_type", + "project_role", + "old_project_role", + "project_id", "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2698,19 +4204,17 @@ "description": "A project board was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "operation_type", "user", + "_document_id", + "request_id", + "user_id", + "user_agent", + "@timestamp", + "actor_id", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "actor" ] }, { @@ -2718,31 +4222,57 @@ "description": "A project board was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "request_id", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { @@ -2750,25 +4280,41 @@ "description": "A repository was linked to a project board.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "repo_id", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "org_id", + "user_agent", + "request_id", + "actor", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { @@ -2776,19 +4322,22 @@ "description": "A project board was renamed.", "docs_reference_links": "N/A", "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", "@timestamp", + "repo", "_document_id", - "action", + "user_agent", + "org_id", + "business_id", "actor", - "actor_id", - "business", + "repo_id", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "business" ] }, { @@ -2796,19 +4345,19 @@ "description": "A repository was unlinked from a project board.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "repo", + "repo_id", + "operation_type", "actor", + "action", + "created_at", "actor_id", - "business", + "_document_id", + "request_id", + "@timestamp", + "user_agent", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id" ] }, { @@ -2816,19 +4365,17 @@ "description": "The project's base-level permission for all organization members was changed or removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "@timestamp", + "_document_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" ] }, { @@ -2836,19 +4383,18 @@ "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "org_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" ] }, { @@ -2856,31 +4402,60 @@ "description": "A user was added to or removed from a project board or had their permission level changed.", "docs_reference_links": "N/A", "fields": [ + "request_id", + "user_id", + "operation_type", "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_agent", + "actor", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { @@ -2888,19 +4463,20 @@ "description": "A project's visibility was changed from public to private.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "project_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "project_kind", + "project_name" ] }, { @@ -2908,109 +4484,391 @@ "description": "A project's visibility was changed from private to public.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "project_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "project_kind", + "project_name", + "request_access_security_header" ] }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", - "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" - }, - { - "action": "public_key.verify", - "description": "A user account's SSH key or a repository's deploy key was verified.", - "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], + "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" + }, + { + "action": "public_key.verify", + "description": "A user account's SSH key or a repository's deploy key was verified.", + "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { @@ -3018,84 +4876,190 @@ "description": "Pull request merge options were changed for a repository.", "docs_reference_links": "N/A", "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", "@timestamp", "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "action", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "token_scopes", + "programmatic_access_type", + "actor_is_bot" ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { @@ -3103,54 +5067,108 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", + "oauth_application_id", + "token_id", + "token_scopes", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", - "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" - }, - { - "action": "repo.create_actions_secret", - "description": "A GitHub Actions secret was created for a repository.", - "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", - "docs_reference_titles": "Using secrets in GitHub Actions" - }, - { - "action": "repo.create_actions_variable", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], + "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" + }, + { + "action": "repo.create_actions_secret", + "description": "A GitHub Actions secret was created for a repository.", + "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], + "docs_reference_titles": "Using secrets in GitHub Actions" + }, + { + "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -3158,42 +5176,51 @@ "description": "A Codespaces or Dependabot secret was created for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "key", + "visibility", + "integration", "repo", - "user", - "created_at", + "repo_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "@timestamp", + "created_at", + "_document_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "programmatic_access_type", + "request_access_security_header" ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { @@ -3201,36 +5228,23 @@ "description": "A GitHub Pages custom domain was modified in a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "@timestamp", + "visibility", "repo", + "repo_id", "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", "created_at", + "_document_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "old_cname", + "programmatic_access_type" ] }, { @@ -3238,36 +5252,21 @@ "description": "A GitHub Pages site was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "actor_id", + "user", "_document_id", + "user_id", + "visibility", "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", "actor", - "actor_id", - "business", - "org", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "programmatic_access_type" ] }, { @@ -3275,36 +5274,21 @@ "description": "A GitHub Pages site was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "created_at", + "user_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "request_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "operation_type", + "repo_id", + "programmatic_access_type" ] }, { @@ -3312,36 +5296,22 @@ "description": "HTTPS redirects were disabled for a GitHub Pages site.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user", + "actor_id", + "repo_id", "_document_id", - "action", + "user_agent", "actor", - "actor_id", - "business", - "org", + "visibility", + "user_id", + "request_id", "repo", - "user", - "created_at", + "@timestamp", "operation_type", + "action", + "created_at", "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -3349,36 +5319,21 @@ "description": "HTTPS redirects were enabled for a GitHub Pages site.", "docs_reference_links": "N/A", "fields": [ + "request_id", "@timestamp", - "_document_id", - "action", + "user_agent", + "user_id", + "created_at", + "visibility", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" ] }, { @@ -3386,110 +5341,62 @@ "description": "A GitHub Pages site visibility was changed to private.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" - ] - }, - { - "action": "repo.pages_public", - "description": "A GitHub Pages site visibility was changed to public.", - "docs_reference_links": "N/A", - "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" ] }, { - "action": "repo.pages_soft_delete", - "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", + "action": "repo.pages_public", + "description": "A GitHub Pages site visibility was changed to public.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", + "request_access_security_header" + ] + }, + { + "action": "repo.pages_soft_delete", + "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", + "docs_reference_links": "N/A", + "fields": [ "visibility", + "repo", + "repo_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" ] }, { @@ -3497,36 +5404,22 @@ "description": "A GitHub Pages site that was previously soft-deleted was restored.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "visibility", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -3534,54 +5427,91 @@ "description": "A GitHub Pages source was modified.", "docs_reference_links": "N/A", "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", "@timestamp", + "repo_id", + "user", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", + "request_id", + "visibility", "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "action", + "programmatic_access_type" ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -3589,48 +5519,74 @@ "description": "A Codespaces or Dependabot secret was deleted for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "key", + "integration", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "@timestamp", + "created_at", + "_document_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { @@ -3638,42 +5594,49 @@ "description": "A topic was removed from a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user", "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", "actor", - "actor_id", "business", - "org", + "request_id", "repo", - "user", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { @@ -3681,72 +5644,163 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "repo", "action", - "actor", + "_document_id", "actor_id", - "business", - "org", - "repo", "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" ] }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { @@ -3756,46 +5810,66 @@ "fields": [ "@timestamp", "_document_id", - "action", - "actor", + "user_agent", "actor_id", - "business", + "created_at", + "actor", + "repo_id", + "action", "org", + "org_id", + "request_id", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "operation_type" ] }, { "action": "repo.temporary_access_granted", "description": "Temporary access was enabled for a repository.", "docs_reference_links": "/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing user-owned repositories in your enterprise" }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { @@ -3803,36 +5877,23 @@ "description": "A repository was transferred to another repository network.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -3842,40 +5903,42 @@ "fields": [ "@timestamp", "_document_id", + "operation_type", + "user_id", + "request_id", + "user", "action", + "user_agent", + "created_at", "actor", + "visibility", + "repo_id", "actor_id", - "business", - "org", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { @@ -3883,42 +5946,51 @@ "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", + "policy", + "old_policy", "repo", - "user", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "business", + "business_id" ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { @@ -3926,42 +5998,52 @@ "description": "A repository administrator changed GitHub Actions policy settings for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "actor_is_bot" ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -3969,36 +6051,23 @@ "description": "The default branch for a repository was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", "repo", + "repo_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "programmatic_access_type", + "actor_is_bot" ] }, { @@ -4006,36 +6075,26 @@ "description": "A Codespaces or Dependabot secret was updated for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "key", + "visibility", + "integration", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "@timestamp", + "created_at", + "_document_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "token_scopes", + "programmatic_access_type", + "request_access_security_header" ] }, { @@ -4043,36 +6102,32 @@ "description": "A user's permission to a repository was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", "action", + "_document_id", "actor", - "actor_id", - "business", - "org", - "repo", - "user", + "repo_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", "oauth_application_id", - "permission", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", "visibility", - "public_repo", - "key", - "name", - "owner", "old_permission", - "new_permission" + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" ] }, { @@ -4080,19 +6135,21 @@ "description": "An image to represent a repository was uploaded.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", "action", + "request_id", "actor", - "actor_id", - "business", - "org", + "content_type", "repo", + "@timestamp", + "_document_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "request_access_security_header" ] }, { @@ -4100,19 +6157,21 @@ "description": "An image to represent a repository was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "repo_id", + "user_agent", "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "@timestamp", + "request_access_security_header" ] }, { @@ -4120,19 +6179,21 @@ "description": "An invitation to join a repository was accepted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "request_id", + "repo", + "invitee", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" ] }, { @@ -4140,19 +6201,20 @@ "description": "An invitation to join a repository was canceled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "inviter", "action", - "actor", - "actor_id", - "business", - "org", + "operation_type", + "_document_id", + "repo_id", "repo", - "user", + "@timestamp", + "user_agent", + "invitee", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "actor", + "actor_id", + "request_access_security_header" ] }, { @@ -4160,19 +6222,21 @@ "description": "An invitation to join a repository was sent.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", "repo", - "user", "created_at", + "user_agent", + "repo_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "programmatic_access_type" ] }, { @@ -4180,37 +6244,123 @@ "description": "An invitation to join a repository was declined.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "repo", "_document_id", - "action", "actor", + "invitee", + "action", + "@timestamp", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "inviter", + "user_agent", + "repo_id" ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { @@ -4218,19 +6368,18 @@ "description": "A security key was registered for an account.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", "user", "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "@timestamp", + "_document_id", + "actor", + "user_agent", + "request_access_security_header" ] }, { @@ -4238,19 +6387,18 @@ "description": "A security key was removed from an account.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "user_id", + "operation_type", + "_document_id", + "user_agent", + "@timestamp", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user", + "request_access_security_header" ] }, { @@ -4258,25 +6406,38 @@ "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { @@ -4284,67 +6445,166 @@ "description": "The fiscal host for a GitHub Sponsors listing was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { @@ -4352,25 +6612,36 @@ "description": "A GitHub Sponsors account was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "sponsors_listing_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { @@ -4379,48 +6650,115 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", - "_document_id", + "created_at", + "request_id", + "user", "action", + "user_agent", + "operation_type", + "_document_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id" ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsored_developer_update_newsletter_send", "description": "Triggered when you send an email update to your sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors", + "fields": [ + "request_id", + "actor", + "action", + "user_agent", + "operation_type", + "_document_id", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { @@ -4428,19 +6766,20 @@ "description": "A GitHub Sponsors tier changed access for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4448,25 +6787,37 @@ "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "sponsors.waitlist_join", "description": "You join the waitlist to join GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "request_id", + "actor", + "user_id", + "user_agent", + "actor_id", + "action", + "operation_type", + "created_at", + "user", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { @@ -4474,43 +6825,86 @@ "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "successor_invitation.accept", "description": "Triggered when you accept a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.cancel", "description": "Triggered when you cancel a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.create", "description": "Triggered when you create a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.decline", "description": "Triggered when you decline a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { @@ -4518,25 +6912,32 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "successor_invitation.revoke", "description": "Triggered when you revoke a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { @@ -4544,19 +6945,17 @@ "description": "A new trusted device was added.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "actor", + "actor_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -4564,19 +6963,17 @@ "description": "A trusted device was removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -4584,19 +6981,15 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "created_at", + "action", + "request_id", + "user_id", "@timestamp", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "operation_type" ] }, { @@ -4604,19 +6997,15 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "request_id", "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "user", + "_document_id", + "user_agent", + "action" ] }, { @@ -4624,19 +7013,13 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "user", + "action" ] }, { @@ -4644,19 +7027,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "created_at", "actor", "actor_id", - "business", - "org", - "repo", + "@timestamp", + "request_id", "user", - "created_at", + "user_id", + "user_agent", "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "_document_id" ] }, { @@ -4664,19 +7045,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_id", "actor", - "actor_id", - "business", - "org", - "repo", + "action", + "@timestamp", + "user_agent", + "operation_type", "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "actor_id", + "_document_id" ] }, { @@ -4684,19 +7063,16 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "user_agent", + "request_id", + "created_at", + "user_id", + "action", + "_document_id", + "request_access_security_header" ] }, { @@ -4704,37 +7080,75 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "operation_type", + "user_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "user", + "_document_id", + "request_id" ] }, { "action": "two_factor_authentication.add_factor", "description": "A secondary authentication factor was added to a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.disabled", "description": "Two-factor authentication was disabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/disabling-two-factor-authentication-for-your-personal-account", + "fields": [ + "actor", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "actor_id", + "created_at", + "operation_type", + "request_id", + "@timestamp", + "request_access_security_header" + ], "docs_reference_titles": "Disabling two-factor authentication for your personal account" }, { "action": "two_factor_authentication.enabled", "description": "Two-factor authentication was enabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "operation_type", + "user_agent", + "action", + "created_at", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Configuring two-factor authentication" }, { @@ -4742,19 +7156,15 @@ "description": "A one-time password code was sent to a user account fallback phone number.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "created_at", + "user", + "user_id", + "action", "@timestamp", + "request_id", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent" ] }, { @@ -4762,25 +7172,37 @@ "description": "Two factor recovery codes were regenerated for a user account.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "request_id", + "actor", + "operation_type", "_document_id", + "user_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "actor_id", + "@timestamp", + "created_at" ] }, { "action": "two_factor_authentication.remove_factor", "description": "A secondary authentication factor was removed from a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { @@ -4788,19 +7210,15 @@ "description": "A one-time password code was sent to a user account fallback phone number.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "request_id", + "operation_type", + "user_id", "user", + "user_agent", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "action", + "@timestamp" ] }, { @@ -4809,24 +7227,37 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", + "created_at", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "action", + "request_id", + "actor", + "actor_id" ] }, { "action": "user.add_email", "description": "An email address was added to a user account.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account", + "fields": [ + "action", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "_document_id", + "actor_id", + "actor", + "email", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account" }, { @@ -4834,19 +7265,18 @@ "description": "An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.", "docs_reference_links": "N/A", "fields": [ + "actor", + "user_id", + "created_at", + "user", "@timestamp", "_document_id", - "action", - "actor", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "action", + "request_access_security_header" ] }, { @@ -4854,19 +7284,17 @@ "description": "Audit log entries were exported.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "action", + "request_id", + "actor", + "@timestamp", + "_document_id", + "user_agent", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at" ] }, { @@ -4874,19 +7302,20 @@ "description": "A user was blocked by another user.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", "actor", + "user_id", + "_document_id", "actor_id", - "business", - "org", - "repo", + "@timestamp", + "user_agent", "user", - "created_at", + "request_id", + "blocked_user", "operation_type", + "created_at", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -4894,31 +7323,57 @@ "description": "A user changed their password.", "docs_reference_links": "N/A", "fields": [ + "request_id", "@timestamp", - "_document_id", - "action", - "actor", + "user_agent", "actor_id", - "business", - "org", - "repo", + "operation_type", + "actor", "user", + "user_id", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "request_access_security_header" ] }, { "action": "user.codespaces_trusted_repo_access_granted", "description": "Triggered when you allow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.codespaces_trusted_repo_access_revoked", "description": "Triggered when you disallow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { @@ -4926,19 +7381,19 @@ "description": "A new user account was created.", "docs_reference_links": "N/A", "fields": [ + "email", + "user_id", + "operation_type", "@timestamp", + "request_id", + "user", + "created_at", "_document_id", - "action", + "user_agent", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "programmatic_access_type" ] }, { @@ -4946,19 +7401,21 @@ "description": "A user secret for Codespaces was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "key", + "visibility", + "integration", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -4966,19 +7423,20 @@ "description": "The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user", + "created_at", + "user_agent", "_document_id", + "operation_type", + "oauth_application_id", "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "user_id", + "@timestamp", + "token_scopes", + "programmatic_access_type" ] }, { @@ -4986,19 +7444,18 @@ "description": "A user account was destroyed by an asynchronous job.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "operation_type", + "created_at", + "user_agent", "action", + "request_id", + "user_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "request_access_security_header" ] }, { @@ -5007,18 +7464,19 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", - "_document_id", + "oauth_application_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", "created_at", + "user_agent", + "request_id", + "actor", + "actor_id", "operation_type", + "_document_id", + "user_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5026,19 +7484,18 @@ "description": "A user deleted his or her account, triggering user.async_delete.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "request_id", "actor", - "actor_id", - "business", - "org", - "repo", "user", + "_document_id", "created_at", + "user_agent", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_id", + "action", + "@timestamp", + "request_access_security_header" ] }, { @@ -5046,19 +7503,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "request_id", "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "_document_id", + "@timestamp", + "user", + "user_agent", + "user_id", + "actor_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5066,19 +7522,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "user_id", "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "_document_id", + "@timestamp", + "user", + "actor_id", + "action", + "request_access_security_header" ] }, { @@ -5087,18 +7542,17 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", + "user", "_document_id", "action", + "operation_type", + "user_agent", + "created_at", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "request_access_security_header" ] }, { @@ -5106,19 +7560,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -5126,19 +7578,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -5146,19 +7596,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -5166,25 +7614,44 @@ "description": "An enterprise managed user claimed an email address.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "user_email.mark_as_unclaimed", "description": "N/A", "docs_reference_links": "An enterprise managed user unclaimed an email address.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "An, GitHub Help Documentation, managed, user, unclaimed, an, email, address." }, { @@ -5192,19 +7659,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -5212,19 +7677,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -5232,19 +7695,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -5252,25 +7713,37 @@ "description": "A user tried to sign in with an incorrect username, password, or two-factor authentication code.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_id", "action", + "operation_type", + "request_id", + "created_at", + "_document_id", + "@timestamp", + "user", + "org_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent" ] }, { "action": "user.forgot_password", "description": "A user requested a password reset.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials", + "fields": [ + "action", + "_document_id", + "user_agent", + "request_id", + "user", + "operation_type", + "@timestamp", + "email", + "created_at", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials" }, { @@ -5278,25 +7751,37 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "actor_id", + "action", + "created_at", + "user_agent", "@timestamp", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "actor", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id" ] }, { "action": "user.hide_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { @@ -5304,19 +7789,19 @@ "description": "A user signed in.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "user_agent", + "user_id", "actor_id", - "business", - "org", - "repo", + "@timestamp", "user", - "created_at", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "request_id", + "created_at", + "actor", + "passkey_nickname", + "request_access_security_header" ] }, { @@ -5324,19 +7809,18 @@ "description": "A user signed out.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5344,19 +7828,18 @@ "description": "A user signed in from a new device.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "actor", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "user_agent", + "actor_id", + "action", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" ] }, { @@ -5364,19 +7847,21 @@ "description": "An ordinary user account was promoted to a site administrator.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_id", "action", "actor", "actor_id", - "business", - "org", - "repo", "user", + "@timestamp", "created_at", + "user_agent", + "oauth_application_id", + "request_id", "operation_type", + "_document_id", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5384,19 +7869,17 @@ "description": "A user's account was restored.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", + "user", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", + "@timestamp", + "_document_id", + "request_id", + "user_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "operation_type" ] }, { @@ -5404,19 +7887,20 @@ "description": "An email address was removed from a user account.", "docs_reference_links": "N/A", "fields": [ + "user_agent", + "action", "@timestamp", "_document_id", - "action", + "request_id", + "user", + "user_id", + "operation_type", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "email", + "token_scopes", + "programmatic_access_type" ] }, { @@ -5424,19 +7908,20 @@ "description": "A user secret for Codespaces was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "key", + "integration", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5444,19 +7929,20 @@ "description": "A username was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user", "action", - "actor", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", + "old_login", "created_at", + "_document_id", + "actor", + "user_id", + "@timestamp", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "token_scopes", + "programmatic_access_type" ] }, { @@ -5464,19 +7950,18 @@ "description": "A user reset their account password.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", + "action", + "user_agent", "user", + "request_id", + "user_id", "created_at", + "@timestamp", + "_document_id", + "actor", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5484,25 +7969,37 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "created_at", + "request_id", + "user_id", + "action", "@timestamp", "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "operation_type" ] }, { "action": "user.show_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "@timestamp", + "_document_id", + "request_id", + "user_id", + "action", + "actor", + "user", + "operation_type", + "user_agent", + "actor_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { @@ -5510,19 +8007,18 @@ "description": "A user signed in from an unrecognized device.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "request_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "_document_id", + "user_agent", "user", - "created_at", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_access_security_header" ] }, { @@ -5530,19 +8026,18 @@ "description": "A user signed in from an unrecognized device and location.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "@timestamp", + "user_agent", "created_at", + "_document_id", + "request_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5550,25 +8045,47 @@ "description": "Triggered when you clear the status on your profile.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", "org", - "repo", + "user_id", + "actor", + "message", "user", + "actor_id", "created_at", + "request_id", + "limited_availability", + "action", + "emoji", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "@timestamp", + "_document_id", + "request_access_security_header" ] }, { "action": "user_status.update", "description": "Triggered when you set or change the status on your profile.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status", + "fields": [ + "limited_availability", + "user", + "action", + "actor_id", + "message", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "emoji", + "org", + "actor", + "operation_type", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status" }, { @@ -5576,19 +8093,21 @@ "description": "A user account was suspended.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "oauth_application_id", + "operation_type", "actor_id", - "business", - "org", - "repo", "user", + "user_agent", + "request_id", + "actor", "created_at", - "operation_type", + "_document_id", + "@timestamp", + "user_id", + "action", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5596,39 +8115,37 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "request_id", + "user", + "actor_id", "@timestamp", + "operation_type", "_document_id", - "action", + "user_agent", "actor", - "actor_id", - "business", - "org", - "repo", - "user", + "action", + "user_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "user.two_factor_challenge_failure", "description": "A 2FA challenge issued for a user account failed.", "docs_reference_links": "N/A", - "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "fields": [ "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "_document_id", + "user_agent", + "user", + "actor_id", + "actor", + "user_id", + "@timestamp", + "action", + "request_id", + "request_access_security_header" ] }, { @@ -5638,17 +8155,16 @@ "fields": [ "@timestamp", "_document_id", - "action", - "actor", + "user_id", + "operation_type", "actor_id", - "business", - "org", - "repo", "user", + "actor", + "user_agent", + "request_id", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5656,19 +8172,18 @@ "description": "A user used their 2FA recovery codes.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_id", + "operation_type", + "user_agent", + "request_id", + "user", "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "request_access_security_header" ] }, { @@ -5676,19 +8191,18 @@ "description": "A user downloaded 2FA recovery codes for their account.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "user_id", + "operation_type", "actor_id", - "business", - "org", - "repo", "user", + "request_id", + "action", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "actor", + "_document_id", + "request_access_security_header" ] }, { @@ -5696,19 +8210,17 @@ "description": "A user printed 2FA recovery codes for their account.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user", "action", + "operation_type", + "user_agent", + "request_id", + "user_id", + "created_at", + "_document_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp" ] }, { @@ -5716,25 +8228,37 @@ "description": "A user viewed 2FA recovery codes for their account.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "actor", + "user_id", + "action", "created_at", + "user", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "request_id", + "_document_id", + "request_access_security_header" ] }, { "action": "user.two_factor_requested", "description": "A user was prompted for a two-factor authentication code.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication", + "fields": [ + "user", + "actor_id", + "action", + "user_agent", + "request_id", + "created_at", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "actor" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication" }, { @@ -5742,19 +8266,19 @@ "description": "A user was unblocked by another user.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "actor_id", "action", + "request_id", + "_document_id", + "blocked_user", + "operation_type", "actor", - "actor_id", - "business", - "org", - "repo", + "@timestamp", + "user_agent", + "user_id", "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5762,19 +8286,21 @@ "description": "A user account was unsuspended.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "request_id", "_document_id", + "user", "action", + "user_agent", "actor", + "oauth_application_id", + "operation_type", "actor_id", - "business", - "org", - "repo", - "user", "created_at", - "operation_type", + "@timestamp", + "user_id", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5782,19 +8308,21 @@ "description": "A user secret for Codespaces was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "key", + "visibility", + "integration", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5802,25 +8330,47 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "request_access_security_header" ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { @@ -5828,19 +8378,23 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5848,25 +8402,50 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", + "workflow_run_id", + "run_number", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { @@ -5874,19 +8453,22 @@ "description": "A workflow was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "workflow_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -5894,19 +8476,21 @@ "description": "A workflow was enabled, after previously being disabled by disable_workflow.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "workflow_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5914,25 +8498,51 @@ "description": "A workflow was pinned.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { @@ -5940,19 +8550,25 @@ "description": "A workflow was unpinned after previously being pinned.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/ghec/enterprise.json b/src/audit-logs/data/ghec/enterprise.json index d8a54d433474..9831604396b8 100644 --- a/src/audit-logs/data/ghec/enterprise.json +++ b/src/audit-logs/data/ghec/enterprise.json @@ -4,25 +4,37 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "org", "@timestamp", + "operation_type", + "user_agent", "_document_id", + "created_at", "action", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id" ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { @@ -30,25 +42,52 @@ "description": "A GitHub Actions cache was deleted using the REST API.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "oauth_application_id", + "user_id", "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "advisory_credit.accept", "description": "Credit was accepted for a security advisory.", "docs_reference_links": "/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory" }, { @@ -56,19 +95,21 @@ "description": "Someone was added to the credit section of a security advisory.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "ghsa_id", "repo", - "user", - "created_at", + "repo_id", + "recipient", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -76,19 +117,22 @@ "description": "Credit was declined for a security advisory.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "ghsa_id", "repo", - "user", - "created_at", + "repo_id", + "recipient", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "public_repo" ] }, { @@ -96,25 +140,60 @@ "description": "Someone was removed from the credit section of a security advisory.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "ghsa_id", "repo", - "user", - "created_at", + "repo_id", + "recipient", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "public_repo" ] }, { "action": "api.request", "description": "An API request was made to an endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests", + "fields": [ + "user_agent", + "request_id", + "request_method", + "query_string", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "request_body", + "status_code", + "url_path", + "business", + "business_id", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "route", + "rate_limit_remaining", + "actor_is_bot" + ], "docs_reference_titles": "Streaming the audit log for your enterprise" }, { @@ -122,19 +201,18 @@ "description": "A workflow run artifact was manually deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", "actor", + "user_agent", "actor_id", - "business", - "org", "repo", - "user", + "repo_id", + "request_id", + "@timestamp", "created_at", + "_document_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "programmatic_access_type" ] }, { @@ -142,19 +220,20 @@ "description": "A manual check of the endpoint configured for audit log streaming was performed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", + "audit_log_stream_result", + "business_id", "business", - "org", - "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "audit_log_stream_sink_details", + "request_access_security_header" ] }, { @@ -162,19 +241,19 @@ "description": "An endpoint was added for audit log streaming.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", + "business_id", "business", - "org", - "repo", - "user", + "audit_log_stream_sink", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "audit_log_stream_id" ] }, { @@ -182,19 +261,19 @@ "description": "An audit log streaming endpoint was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", + "business_id", "business", - "org", - "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "audit_log_stream_id", + "audit_log_stream_sink_details" ] }, { @@ -202,43 +281,115 @@ "description": "An endpoint configuration was updated for audit log streaming, such as the stream was paused, enabled, or disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", + "audit_log_stream_enabled", + "business_id", "business", - "org", - "repo", - "user", + "audit_log_stream_sink", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "new_s3_bucket", + "old_s3_bucket", + "secrets_updated", + "new_s3_arn_role", + "old_s3_arn_role", + "new_azure_blob_container", + "old_azure_blob_container", + "new_event_hub_instance", + "old_event_hub_instance", + "new_splunk_domain", + "old_splunk_domain", + "ssl_verify", + "old_gc_bucket" ] }, { "action": "auto_approve_personal_access_token_requests.disable", "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources. See also: personal_access_token.auto_approve_grant_requests_disabled", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization" }, { "action": "auto_approve_personal_access_token_requests.enable", "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval. See also: personal_access_token.auto_approve_grant_requests_enabled", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization" }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { @@ -246,19 +397,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "oauth_application_id", "@timestamp", + "actor_id", + "operation_type", "_document_id", - "action", + "request_id", "actor", - "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "user_agent", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action" ] }, { @@ -266,19 +416,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" ] }, { @@ -286,25 +435,41 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "business.add_admin", "description": "An enterprise owner was added to an enterprise.", "docs_reference_links": "/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise", + "fields": [ + "name", + "business", + "user", + "user_id", + "@timestamp", + "created_at", + "actor", + "actor_id", + "action", + "operation_type", + "request_id", + "business_id", + "_document_id", + "user_agent", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Inviting people to manage your enterprise" }, { @@ -312,19 +477,20 @@ "description": "A billing manager was added to an enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "user", "actor", - "actor_id", + "name", "business", - "org", - "repo", - "user", - "created_at", + "business_id", + "action", + "@timestamp", + "request_id", + "actor_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "user_id", + "_document_id" ] }, { @@ -332,19 +498,23 @@ "description": "An enterprise prevented access to resources by users with the given two-factor method.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "name", + "two_factor_method", "business", - "org", - "repo", + "business_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -352,61 +522,175 @@ "description": "An organization was added to an enterprise.", "docs_reference_links": "N/A", "fields": [ + "org_id", + "operation_type", "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", + "business_id", "org", - "repo", - "user", + "action", + "user_agent", + "actor_id", + "name", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "_document_id", + "business", + "organization_upgrade", + "request_access_security_header" ] }, { "action": "business.add_support_entitlee", "description": "A support entitlement was added to a member of an enterprise.", "docs_reference_links": "/admin/user-management/managing-users-in-your-enterprise/managing-support-entitlements-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing support entitlements for your enterprise" }, { "action": "business_advanced_security.disabled", "description": "GitHub Advanced Security was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.disabled_for_new_user_namespace_repos", "description": "GitHub Advanced Security was disabled for new user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.enabled", "description": "GitHub Advanced Security was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.enabled_for_new_user_namespace_repos", "description": "GitHub Advanced Security was enabled for new user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { @@ -414,25 +698,40 @@ "description": "Enablement for Advanced Security features on new repositories has been unlocked for this enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "request_access_security_header", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "business.advanced_security_policy_update", "description": "An enterprise owner created, updated, or removed a policy for GitHub Advanced Security.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { @@ -440,43 +739,106 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "business_advanced_security.user_namespace_repos_disabled", "description": "GitHub Advanced Security was disabled for user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.user_namespace_repos_enabled", "description": "GitHub Advanced Security was enabled for user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business.audit_log_export", "description": "An export of the enterprise audit log was created. If the export included a query, the log will list the query used and the number of audit log entries matching that query.", "docs_reference_links": "admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/exporting-audit-log-activity-for-your-enterprise", + "fields": [ + "user_agent", + "business", + "business_id", + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "request_id", + "actor", + "action", + "_document_id", + "query_phrase" + ], "docs_reference_titles": "Exporting audit log activity for your enterprise" }, { "action": "business.audit_log_git_event_export", "description": "An export of the enterprise's Git events was created.", "docs_reference_links": "admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/exporting-audit-log-activity-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "start", + "end", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Exporting audit log activity for your enterprise" }, { @@ -484,19 +846,21 @@ "description": "An invitation for someone to be an owner of an enterprise was canceled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user", + "actor_id", + "user_agent", + "invitation_id", + "user_id", "_document_id", - "action", + "operation_type", + "created_at", + "name", + "request_id", "actor", - "actor_id", + "@timestamp", "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "business_id", + "action" ] }, { @@ -504,25 +868,41 @@ "description": "An invitation for someone to be an billing manager of an enterprise was canceled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "business_id", "action", + "@timestamp", "actor", + "name", + "_document_id", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "business", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "user_agent", + "invitation_id", + "user" ] }, { "action": "business.cancel_trial", "description": "The trial of GitHub Enterprise Cloud was canceled.", "docs_reference_links": "/admin/overview/setting-up-a-trial-of-github-enterprise-cloud", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Setting up a trial of GitHub Enterprise Cloud" }, { @@ -530,31 +910,61 @@ "description": "The seats plan type was changed for an enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", + "seats_plan_type_was", + "seats_plan_type", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "business.clear_actions_settings", "description": "An enterprise owner or site administrator cleared GitHub Actions policy settings for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.clear_default_repository_permission", "description": "An enterprise owner cleared the base repository permission policy setting for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-base-repository-permissions", + "fields": [ + "name", + "operation_type", + "business_id", + "user_agent", + "actor_id", + "request_id", + "actor", + "_document_id", + "business", + "action", + "@timestamp", + "created_at" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { @@ -562,25 +972,41 @@ "description": "Cleared two-factor authentication restrictions for an enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "name", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "business.clear_members_can_create_repos", "description": "An enterprise owner cleared a restriction on repository creation in organizations in the enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#setting-a-policy-for-repository-creation", + "fields": [ + "user_agent", + "actor_id", + "business_id", + "action", + "_document_id", + "request_id", + "name", + "business", + "visibility", + "created_at", + "actor", + "operation_type", + "@timestamp" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { @@ -588,31 +1014,67 @@ "description": "The policy for Code scanning autofix was updated for an enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { "action": "business.code_scanning_autofix_third_party_tools_policy_update", "description": "The policy for Code scanning autofix third party tools was updated for an enterprise.", "docs_reference_links": "/code-security/getting-started/github-security-features#available-with-github-code-security", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#available-with-github-code-security" }, { "action": "business.code_security_enablement_policy_update", "description": "The policy for Code Security enablement was updated for an enterprise.", "docs_reference_links": "/code-security/getting-started/github-security-features#available-with-github-code-security", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#available-with-github-code-security" }, { @@ -620,31 +1082,54 @@ "description": "Enablement for Code Security features on new repositories has been locked for this enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "request_access_security_header", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "business.connect_usage_metrics_export", "description": "Server statistics were exported for the enterprise.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/analyzing-how-your-team-works-with-server-statistics/exporting-server-statistics", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Exporting Server Statistics" }, { "action": "business.convert_trial", "description": "The enterprise account on a trial of GitHub Enterprise Cloud was upgraded to a paid enterprise account.", "docs_reference_links": "/admin/overview/setting-up-a-trial-of-github-enterprise-cloud", + "fields": [ + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Setting up a trial of GitHub Enterprise Cloud" }, { @@ -652,31 +1137,59 @@ "description": "An enterprise was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "actor_id", "_document_id", "action", - "actor", - "actor_id", + "@timestamp", + "request_id", + "name", "business", - "org", - "repo", - "user", - "created_at", + "business_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "created_at", + "user_agent", + "request_access_security_header" ] }, { "action": "business.create_trial", "description": "A trial of GitHub Enterprise Cloud began.", "docs_reference_links": "/admin/overview/setting-up-a-trial-of-github-enterprise-cloud", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Setting up a trial of GitHub Enterprise Cloud" }, { "action": "business.delete", "description": "The enterprise was deleted.", "docs_reference_links": "/admin/overview/deleting-an-enterprise-account", + "fields": [ + "actor_id", + "business", + "action", + "business_id", + "@timestamp", + "operation_type", + "_document_id", + "request_id", + "user_agent", + "actor", + "name", + "created_at" + ], "docs_reference_titles": "Deleting an enterprise account" }, { @@ -684,19 +1197,19 @@ "description": "Dependabot alerts were disabled for your enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -704,19 +1217,19 @@ "description": "Dependabot alerts were enabled for your enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -724,19 +1237,19 @@ "description": "Dependabot alerts were disabled for new repositories in your enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -744,19 +1257,19 @@ "description": "Dependabot alerts were enabled for new repositories in your enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -764,25 +1277,39 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "business.disable_oidc", "description": "OIDC single sign-on was disabled for an enterprise.", "docs_reference_links": "/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Configuring OIDC for Enterprise Managed Users" }, { @@ -790,19 +1317,18 @@ "description": "SCIM provisioning for custom integrations that use the REST API was disabled for the enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -810,25 +1336,41 @@ "description": "SAML single sign-on was disabled for an enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", + "request_id", "business", - "org", - "repo", - "user", + "action", "created_at", + "actor", + "user_agent", + "business_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "issuer", + "@timestamp", + "actor_id", + "name", + "sso_url" ] }, { "action": "business.disable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the enterprise was disabled.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Displaying IP addresses in the audit log for your enterprise" }, { @@ -836,25 +1378,37 @@ "description": "The requirement for members to have two-factor authentication enabled to access an enterprise was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", + "@timestamp", "actor", - "actor_id", "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "user_agent", + "business_id", + "actor_id", + "name", + "_document_id", + "request_id" ] }, { "action": "business.enable_oidc", "description": "OIDC single sign-on was enabled for an enterprise.", "docs_reference_links": "/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Configuring OIDC for Enterprise Managed Users" }, { @@ -862,19 +1416,17 @@ "description": "SCIM provisioning for custom integrations that use the REST API was enabled for the enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -882,25 +1434,41 @@ "description": "SAML single sign-on was enabled for an enterprise.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "name", + "sso_url", "@timestamp", - "_document_id", + "issuer", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", + "_document_id", + "request_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "business_id", + "business", + "user_agent" ] }, { "action": "business.enable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the enterprise was enabled.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Displaying IP addresses in the audit log for your enterprise" }, { @@ -908,19 +1476,18 @@ "description": "The requirement for members to have two-factor authentication enabled to access an enterprise was enabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "actor_id", "action", + "user_agent", "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "business", + "business_id", + "name", + "_document_id", + "request_id", + "@timestamp" ] }, { @@ -928,25 +1495,35 @@ "description": "A GitHub Enterprise Server license was downloaded.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", "business", - "org", - "repo", + "user_agent", + "action", + "request_id", "user", - "created_at", + "business_id", + "_document_id", + "actor_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "user_id", + "@timestamp" ] }, { "action": "business.expire_trial", "description": "The trial of GitHub Enterprise Cloud expired.", "docs_reference_links": "/admin/overview/setting-up-a-trial-of-github-enterprise-cloud", + "fields": [ + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Setting up a trial of GitHub Enterprise Cloud" }, { @@ -954,19 +1531,20 @@ "description": "GitHub Models billing was disabled for the business.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "name", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -974,25 +1552,40 @@ "description": "GitHub Models billing was enabled for the business.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "name", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "business.import_license_usage", "description": "License usage information was imported from a GitHub Enterprise Server instance to an enterprise account on GitHub.com.", "docs_reference_links": "/billing/managing-your-license-for-github-enterprise/syncing-license-usage-between-github-enterprise-server-and-github-enterprise-cloud#manually-uploading-github-enterprise-server-license-usage", + "fields": [ + "name", + "actor", + "business_id", + "created_at", + "request_id", + "user_agent", + "operation_type", + "business", + "action", + "@timestamp", + "_document_id", + "actor_id" + ], "docs_reference_titles": "Syncing license usage between GitHub Enterprise Server and GitHub Enterprise Cloud" }, { @@ -1000,19 +1593,21 @@ "description": "An invitation for someone to be an enterprise owner of an enterprise was sent.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", + "name", + "request_id", + "business", + "invitation_id", + "business_id", + "user_id", + "user_agent", "actor", "actor_id", - "business", - "org", - "repo", + "_document_id", + "@timestamp", "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at" ] }, { @@ -1020,19 +1615,21 @@ "description": "An invitation for someone to be an billing manager of an enterprise was sent.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user", + "operation_type", + "user_agent", + "invitation_id", "_document_id", - "action", + "business", "actor", + "user_id", + "action", + "@timestamp", + "name", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "business_id", + "created_at" ] }, { @@ -1040,19 +1637,20 @@ "description": "An enterprise owner unset a policy for whether members of an enterprise can update protected branches on repositories for individual organizations. Organization owners can choose whether to allow updating protected branches settings.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_id", "action", + "created_at", "actor", "actor_id", + "@timestamp", + "request_id", "business", - "org", - "repo", - "user", - "created_at", + "name", "operation_type", - "programmatic_access_type", - "token_scopes" + "user", + "user_agent", + "business_id", + "_document_id" ] }, { @@ -1060,19 +1658,20 @@ "description": "The ability for enterprise members to update branch protection rules was disabled. Only enterprise owners can update protected branches.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", + "name", "business", - "org", - "repo", + "business_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -1080,19 +1679,20 @@ "description": "The ability for enterprise members to update branch protection rules was enabled. Enterprise owners and members can update protected branches.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "name", "actor", - "actor_id", - "business", - "org", - "repo", + "operation_type", + "_document_id", + "business_id", "user", + "@timestamp", + "business", + "actor_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "user_agent", + "request_id", + "user_id" ] }, { @@ -1100,19 +1700,19 @@ "description": "The proxy security header was disabled for an enterprise. All users on the network can now access GitHub, unless blocked by other means.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "request_access_security_header", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -1120,19 +1720,18 @@ "description": "The proxy security header was enabled for an enterprise. When the header is provided in requests, only Enterprise Managed Users matching the header will be able to access GitHub.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -1140,61 +1739,163 @@ "description": "A user outside the enterprise tried to access GitHub while the proxy security header was enabled and provided in the request.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "name", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "business.recovery_code_failed", "description": "An enterprise owner failed to sign into a enterprise with an external identity provider (IdP) using a recovery code.", "docs_reference_links": "/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "reason", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Accessing your enterprise account if your identity provider is unavailable" }, { "action": "business.recovery_code_used", "description": "An enterprise owner successfully signed into an enterprise with an external identity provider (IdP) using a recovery code.", "docs_reference_links": "/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Accessing your enterprise account if your identity provider is unavailable" }, { "action": "business.recovery_codes_downloaded", "description": "An enterprise owner downloaded the enterprise's SSO recovery codes.", "docs_reference_links": "/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Downloading your enterprise account's single sign-on recovery codes" }, { "action": "business.recovery_codes_generated", "description": "An enterprise owner generated the enterprise's SSO recovery codes.", "docs_reference_links": "/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Downloading your enterprise account's single sign-on recovery codes" }, { "action": "business.recovery_codes_printed", "description": "An enterprise owner printed the enterprise's SSO recovery codes.", "docs_reference_links": "/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Downloading your enterprise account's single sign-on recovery codes" }, { "action": "business.recovery_codes_viewed", "description": "An enterprise owner viewed the enterprise's SSO recovery codes.", "docs_reference_links": "/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Downloading your enterprise account's single sign-on recovery codes" }, { "action": "business.remove_admin", "description": "An enterprise owner was removed from an enterprise.", "docs_reference_links": "/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise", + "fields": [ + "actor", + "operation_type", + "user_agent", + "business", + "business_id", + "@timestamp", + "created_at", + "request_id", + "action", + "name", + "actor_id", + "user_id", + "_document_id", + "user" + ], "docs_reference_titles": "Inviting people to manage your enterprise" }, { @@ -1202,19 +1903,20 @@ "description": "A billing manager was removed from an enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", "business", - "org", - "repo", - "user", - "created_at", + "actor", + "user_id", + "user_agent", + "request_id", + "action", + "_document_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "name", + "business_id", + "user", + "created_at" ] }, { @@ -1222,19 +1924,23 @@ "description": "Removed a two-factor authentication method restriction for an enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "name", + "two_factor_method", "business", - "org", - "repo", + "business_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -1242,19 +1948,20 @@ "description": "A member was removed from an enterprise.", "docs_reference_links": "N/A", "fields": [ + "user_agent", "@timestamp", - "_document_id", - "action", - "actor", + "business_id", "actor_id", - "business", - "org", - "repo", + "actor", + "operation_type", "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "user_id", + "action", + "_document_id", + "request_id", + "request_access_security_header" ] }, { @@ -1262,25 +1969,42 @@ "description": "An organization was removed from an enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "org_id", "action", + "business", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "request_id", "created_at", + "user_agent", + "business_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "name", + "org" ] }, { "action": "business.remove_support_entitlee", "description": "A support entitlement was removed from a member of an enterprise.", "docs_reference_links": "/admin/user-management/managing-users-in-your-enterprise/managing-support-entitlements-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing support entitlements for your enterprise" }, { @@ -1288,19 +2012,18 @@ "description": "The slug for the enterprise URL was renamed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "request_id", + "name", + "business_id", + "user_agent", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "@timestamp", + "created_at", + "business", + "_document_id" ] }, { @@ -1308,19 +2031,19 @@ "description": "The deleted enterprise was restored.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -1328,19 +2051,20 @@ "description": "The external identity for a member in an enterprise was revoked.", "docs_reference_links": "N/A", "fields": [ + "request_id", "@timestamp", "_document_id", - "action", + "user_id", + "operation_type", "actor", + "created_at", + "name", + "user_agent", "actor_id", - "business", - "org", - "repo", + "business_id", + "action", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "business" ] }, { @@ -1348,37 +2072,84 @@ "description": "The SAML single sign-on session for a member in an enterprise was revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "business_id", + "user_agent", + "request_id", + "user", + "operation_type", "actor", + "_document_id", "actor_id", - "business", - "org", - "repo", - "user", + "name", + "@timestamp", + "user_id", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "business" ] }, { "action": "business_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the business level", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the business level", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_custom_pattern.create", "description": "An enterprise-level custom pattern was created for secret scanning.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { @@ -1386,19 +2157,19 @@ "description": "An enterprise-level custom pattern was removed from secret scanning.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -1406,31 +2177,63 @@ "description": "An enterprise-level custom pattern was published for secret scanning.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "business_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your enterprise.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "business_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your enterprise.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { @@ -1438,43 +2241,103 @@ "description": "Changes to an enterprise-level custom pattern were saved and a dry run was executed for secret scanning.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "business_secret_scanning.disable", "description": "Secret scanning was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning.disabled_for_new_repos", "description": "Secret scanning was disabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning.enable", "description": "Secret scanning was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning.enabled_for_new_repos", "description": "Secret scanning was enabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { @@ -1482,19 +2345,20 @@ "description": "Generic secrets have been disabled at the business level", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -1502,85 +2366,254 @@ "description": "Generic secrets have been enabled at the business level", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { "action": "business_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the enterprise level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "business_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the enterprise level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "business_secret_scanning_push_protection_custom_message.disable", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_custom_message.enable", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_custom_message.update", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.disable", "description": "Push protection for secret scanning was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.disabled_for_new_repos", "description": "Push protection for secret scanning was disabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.enable", "description": "Push protection for secret scanning was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.enabled_for_new_repos", "description": "Push protection for secret scanning was enabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed", "description": "The push protection setting was changed for a secret type for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "secret_type", + "secret_type_display_name", + "push_protection_setting" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { @@ -1588,19 +2621,20 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -1608,19 +2642,26 @@ "description": "A CSV export was requested on the \"CodeQL pull request alerts\" page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", + "business_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -1628,19 +2669,24 @@ "description": "A CSV export was requested on the \"Coverage\" page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", + "business_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -1648,19 +2694,26 @@ "description": "A CSV export was requested on the \"Overview Dashboard\" page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", + "business_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -1668,55 +2721,151 @@ "description": "A CSV export was requested on the \"Risk\" page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", + "business_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "business.set_actions_fork_pr_approvals_policy", "description": "The policy for requiring approvals for workflows from public forks was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "limit", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_fork_pr_workflows_policy", "description": "The policy for fork pull request workflows was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { @@ -1724,31 +2873,68 @@ "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your enterprise. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "N/A", "fields": [ + "issuer", + "name", + "user_agent", + "action", "@timestamp", "_document_id", - "action", "actor", - "actor_id", "business", - "org", - "repo", - "user", + "business_id", + "actor_id", "created_at", + "request_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "business.update_actions_settings", "description": "An enterprise owner or site administrator updated GitHub Actions policy settings for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "updated_github_owned_allowed", + "updated_verified_allowed", + "updated_patterns", + "new_policy", + "old_policy", + "updated_access_policy" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.update_default_repository_permission", "description": "The base repository permission setting was updated for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-base-repository-permissions", + "fields": [ + "business_id", + "operation_type", + "user_agent", + "actor", + "actor_id", + "permission", + "action", + "created_at", + "@timestamp", + "request_id", + "name", + "_document_id", + "old_permission", + "business" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { @@ -1756,51 +2942,84 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", + "old_emu_repo_runners_policy", + "new_emu_repo_runners_policy", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "business.update_member_repository_creation_permission", "description": "The repository creation setting was updated for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-creation", + "fields": [ + "created_at", + "_document_id", + "request_id", + "name", + "business_id", + "actor", + "actor_id", + "@timestamp", + "operation_type", + "permission", + "action", + "business", + "user_agent", + "visibility" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.update_member_repository_invitation_permission", "description": "The policy setting for enterprise members inviting outside collaborators to repositories was updated.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-inviting-outside-collaborators-to-repositories", - "docs_reference_titles": "Enforcing repository management policies in your enterprise" - }, + "fields": [ + "business_id", + "created_at", + "action", + "operation_type", + "@timestamp", + "request_id", + "permission", + "actor", + "actor_id", + "name", + "_document_id", + "user_agent", + "business" + ], + "docs_reference_titles": "Enforcing repository management policies in your enterprise" + }, { "action": "business.update_repo_self_hosted_runners_policy", "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", + "old_repo_runners_policy", + "new_repo_runners_policy", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -1808,37 +3027,87 @@ "description": "The SAML single sign-on provider settings for an enterprise were updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "actor", "_document_id", + "request_id", + "business_id", + "sso_url", + "user_agent", "action", - "actor", - "actor_id", "business", - "org", - "repo", - "user", + "name", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_id", + "@timestamp", + "issuer" ] }, { "action": "business.upgrade_from_organization", "description": "The organization was upgraded to an enterprise account.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/upgrading-your-accounts-plan#upgrading-your-organizations-plan", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/upgrading-your-accounts-plan#upgrading-your-organizations-plan" }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { @@ -1847,84 +3116,227 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" ] }, { "action": "code_scanning.alert_appeared_in_branch", "description": "Existing code scanning alerts appeared in a branch.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_became_fixed", "description": "Code scanning alerts were fixed.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_became_outdated", "description": "Code scanning alerts were closed as outdated (all configurations they were detected in were deleted).", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_numbers", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_by_user", "description": "Code scanning alerts were manually dismissed.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "actor_id", + "request_id", + "actor", + "org_id", + "org", + "business_id", + "business", + "alert_numbers", + "dismissal_approver_id" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_approved", "description": "Dismissal of code scanning alerts was approved.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_denied", "description": "Dismissal of code scanning alerts was denied.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_requested", "description": "Dismissal of code scanning alerts was requested.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_created", "description": "Code scanning alerts were seen for the first time.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_reappeared", "description": "Code scanning alerts that were previously fixed reappeared.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_reopened_by_user", "description": "Code scanning alerts that were previously dismissed were reopened.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "actor_id", + "request_id", + "actor", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code.search", "description": "A code search was run targeting an organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/search-github/github-code-search", + "fields": [ + "@timestamp", + "action", + "actor_id", + "business_id", + "query", + "org_id", + "user_id", + "_document_id", + "search_string" + ], "docs_reference_titles": "/search-github/github-code-search" }, { @@ -1932,19 +3344,16 @@ "description": "A codespace using custom permissions from its devcontainer.json file was launched.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "origin_repository", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -1952,25 +3361,49 @@ "description": "An attempt to create a codespace from a prebuild was made.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "owner", + "pull_request_id", + "repository", + "repository_id", + "user_id", "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", + "public_repo", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "codespaces.business_enablement_updated", "description": "Enterprise setting for Codespaces ownership was updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enablement", + "organization_names", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization" }, { @@ -1978,31 +3411,79 @@ "description": "Credentials for a codespace were refreshed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "machine_type", + "devcontainer_path" ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { @@ -2010,19 +3491,18 @@ "description": "A codespace was exported to a branch on GitHub.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "public_repo" ] }, { @@ -2030,19 +3510,17 @@ "description": "Policies were applied to codespaces in an organization or enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2050,19 +3528,20 @@ "description": "Policies were removed from codespaces in an organization or enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -2070,19 +3549,19 @@ "description": "Policies were updated for codespaces in an organization or enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -2090,19 +3569,19 @@ "description": "A codespace was restored.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "owner", "repo", - "user", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2110,19 +3589,27 @@ "description": "A codespace was started.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "name", "org", - "repo", + "owner", + "pull_request_id", + "machine_type", + "user_id", "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2130,25 +3617,39 @@ "description": "A codespace was stopped.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "owner", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { @@ -2156,19 +3657,20 @@ "description": "A commit comment was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", "repo", - "user", + "org", + "org_id", "created_at", + "@timestamp", "operation_type", - "programmatic_access_type", - "token_scopes" + "repo_id", + "actor_id", + "request_id", + "_document_id", + "user_agent", + "action", + "programmatic_access_type" ] }, { @@ -2176,19 +3678,21 @@ "description": "A commit comment was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", - "action", + "repo_id", "actor", - "actor_id", - "business", "org", + "request_id", + "action", + "@timestamp", "repo", - "user", + "org_id", + "actor_id", "created_at", + "user_agent", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "programmatic_access_type" ] }, { @@ -2196,19 +3700,21 @@ "description": "Copilot access was revoked for the organization or enterprise due to its Copilot subscription ending, an issue with billing the entity, the entity being marked spammy, or the entity being suspended.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "reason", + "plan", + "org_id", + "owner", "org", - "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2216,19 +3722,20 @@ "description": "The Copilot enablement policy changed at the enterprise level to either allow or disable access for all organizations, or to allow access for selected organizations.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "previous_value", + "current_value", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -2236,19 +3743,17 @@ "description": "Copilot feature settings were changed at the enterprise level.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2256,19 +3761,15 @@ "description": "Copilot feature settings were changed at the organization level.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2276,25 +3777,41 @@ "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { @@ -2302,19 +3819,24 @@ "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", + "token_id", + "token_scopes", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -2322,19 +3844,17 @@ "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2342,19 +3862,20 @@ "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -2362,19 +3883,19 @@ "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "seat_assignment", + "request_access_security_header" ] }, { @@ -2382,19 +3903,21 @@ "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "user_id", "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -2402,19 +3925,21 @@ "description": "The seat management setting was changed at the organization level to either enable or disable Copilot access for all members of the organization, or to enable Copilot access for selected members or teams.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "old_value", + "new_value", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -2422,19 +3947,17 @@ "description": "The GitHub Copilot Product Terms or Pre-Release Preview Terms were accepted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2442,19 +3965,21 @@ "description": "The excluded paths for GitHub Copilot were updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "excluded_paths", + "owner_type", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -2462,43 +3987,113 @@ "description": "Copilot access was enabled or disabled at the enterprise level.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "previous_value", + "current_value", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "copilot.knowledge_base_created", "description": "A knowledge base was created in the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.knowledge_base_deleted", "description": "A knowledge base was deleted from the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.knowledge_base_updated", "description": "A knowledge base was updated in the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.plan_changed", "description": "The plan for GitHub Copilot was updated.", "docs_reference_links": "/billing/managing-billing-for-github-copilot/about-billing-for-github-copilot", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_plan", + "plan", + "business_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "About billing for GitHub Copilot" }, { @@ -2506,19 +4101,23 @@ "description": "The plan for GitHub Copilot was scheduled to be downgraded.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "org_id", + "owner", "org", - "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "current_plan", + "scheduled_plan" ] }, { @@ -2526,19 +4125,23 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "runner_group_id", "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2546,19 +4149,21 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2566,79 +4171,257 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "runner_group_id", "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "custom_property_definition.create", "description": "A new custom property definition was created.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.destroy", "description": "A custom property definition was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id", + "allowed_values" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.update", "description": "A custom property definition was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "value_type", + "required", + "default_value", + "old_allowed_values", + "allowed_values", + "definition_id", + "old_required", + "old_default_value", + "old_value_type", + "old_values_editable_by", + "values_editable_by", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.create", "description": "A repository's custom property value was manually set for the first time.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "definition_id", + "property_name", + "value", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.destroy", "description": "A repository's custom property value was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.update", "description": "A repository's custom property value was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { @@ -2646,19 +4429,22 @@ "description": "The default repository access for Dependabot was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", "org", - "repo", - "user", + "org_id", + "access_level", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { @@ -2666,25 +4452,38 @@ "description": "The repositories that Dependabot can access were updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -2692,25 +4491,40 @@ "description": "Dependabot security updates were enabled for all existing repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -2718,25 +4532,40 @@ "description": "Dependabot security updates were enabled for all new repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -2744,25 +4573,40 @@ "description": "The dependency graph was enabled for all existing repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -2770,19 +4614,20 @@ "description": "The dependency graph was enabled for all new repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "request_access_security_header" ] }, { @@ -2790,19 +4635,21 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "repo", + "org", + "repo_id", + "request_id", "action", "actor", + "org_id", + "_document_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", + "@timestamp", + "created_at", + "user_agent", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2810,19 +4657,20 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "repo_id", "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", - "created_at", + "_document_id", + "actor_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "repo", + "org_id", + "action", + "request_access_security_header" ] }, { @@ -2830,61 +4678,175 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "repo_id", + "user_agent", "actor_id", - "business", + "org_id", + "actor", "org", - "repo", - "user", - "created_at", + "action", "operation_type", + "@timestamp", + "request_id", + "title", + "_document_id", + "created_at", + "repo", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "discussion_post.destroy", "description": "Triggered when a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "request_id", + "team", + "created_at", + "user_id", + "@timestamp", + "number", + "org", + "title", + "actor", + "actor_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.destroy", "description": "Triggered when a reply to a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "actor_id", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user_id", + "actor", + "number", + "user", + "created_at", + "request_id", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.update", "description": "Triggered when a reply to a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "action", + "_document_id", + "request_id", + "org", + "@timestamp", + "actor_id", + "operation_type", + "user", + "user_id", + "org_id", + "user_agent", + "actor", + "number", + "team", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "discussion_post.update", "description": "Triggered when a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "created_at", + "_document_id", + "title", + "user", + "user_agent", + "org", + "operation_type", + "actor_id", + "@timestamp", + "actor", + "team", + "action", + "org_id", + "request_id", + "user_id", + "number" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "enterprise_announcement.create", "description": "A global announcement banner was created for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global-announcement-banner", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.destroy", "description": "A global announcement banner was removed from the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.update", "description": "A global announcement banner was updated for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "old_message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { @@ -2892,133 +4854,408 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "enterprise_domain.approve", "description": "A domain was approved for an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#approving-a-domain-for-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_domain.create", "description": "A domain was added to an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#verifying-a-domain-for-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_domain.destroy", "description": "A domain was removed from an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#removing-an-approved-or-verified-domain", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_domain.verify", "description": "A domain was verified for an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#verifying-a-domain-for-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_installation.create", "description": "The GitHub App associated with a GitHub Connect connection was created.", "docs_reference_links": "/admin/configuration/configuring-github-connect/managing-github-connect", + "fields": [ + "created_at", + "operation_type", + "@timestamp", + "_document_id", + "org_id", + "action", + "request_id", + "org", + "actor_id", + "user_agent", + "actor" + ], "docs_reference_titles": "Enabling GitHub Connect for GitHub.com" }, { "action": "enterprise_installation.destroy", "description": "The GitHub App associated with a GitHub Connect connection was deleted.", "docs_reference_links": "/admin/configuration/configuring-github-connect/managing-github-connect", + "fields": [ + "created_at", + "_document_id", + "action", + "@timestamp", + "actor_id", + "actor", + "user_agent", + "org", + "operation_type", + "request_id", + "org_id" + ], "docs_reference_titles": "Enabling GitHub Connect for GitHub.com" }, { "action": "enterprise.register_self_hosted_runner", "description": "A new GitHub Actions self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "enterprise.remove_self_hosted_runner", "description": "A GitHub Actions self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "enterprise.runner_group_created", "description": "A GitHub Actions self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "enterprise.runner_group_removed", "description": "A GitHub Actions self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", - "docs_reference_titles": "Managing access to self-hosted runners using groups" - }, - { + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], + "docs_reference_titles": "Managing access to self-hosted runners using groups" + }, + { "action": "enterprise.runner_group_renamed", "description": "A GitHub Actions self-hosted runner group was renamed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "enterprise.runner_group_runner_removed", "description": "The REST API was used to remove a GitHub Actions self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "enterprise.runner_group_runners_added", "description": "A GitHub Actions self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "enterprise.runner_group_runners_updated", "description": "A GitHub Actions runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "enterprise.runner_group_updated", "description": "The configuration of a GitHub Actions self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "enterprise.runner_group_visiblity_updated", "description": "The visibility of a GitHub Actions self-hosted runner group was updated via the REST API.", "docs_reference_links": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "visibility", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization" }, { "action": "enterprise.self_hosted_runner_offline", "description": "The GitHub Actions runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "business_id", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "enterprise.self_hosted_runner_online", "description": "The GitHub Actions runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "business_id", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "enterprise.self_hosted_runner_updated", "description": "The GitHub Actions runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "business_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "About self-hosted runners" }, { @@ -3026,19 +5263,22 @@ "description": "A new member was added to the enterprise team or an IdP group linked to an enterprise team, or an IdP group was linked to an enterprise team.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "user_id", + "business_id", + "enterprise_team_id", + "enterprise_team", "user", + "business", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -3046,19 +5286,21 @@ "description": "A license for GitHub Copilot was assigned to an enterprise team.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", "business", - "org", - "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -3066,19 +5308,20 @@ "description": "A license for GitHub Copilot was unassigned from an enterprise team.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", "business", - "org", - "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -3086,19 +5329,19 @@ "description": "A new enterprise team was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", "business", - "org", - "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -3106,19 +5349,20 @@ "description": "An enterprise team was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", "business", - "org", - "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -3126,19 +5370,22 @@ "description": "A member was removed from the enterprise team or an IdP group linked to an enterprise team, or an IdP group was unlinked from an enterprise team.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "user_id", + "business_id", + "enterprise_team_id", + "enterprise_team", "user", + "business", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -3146,25 +5393,45 @@ "description": "The name of an enterprise team was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", + "business_id", + "enterprise_team_id", + "enterprise_team", "business", - "org", - "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { @@ -3172,73 +5439,259 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "environment_name", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.delete", "description": "An environment was deleted.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_secret", "description": "A secret was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { @@ -3246,19 +5699,27 @@ "description": "A user was added to an external group.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", - "repo", + "token_id", + "token_scopes", + "external_group", + "external_group_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "scim_group_id", + "request_access_security_header" ] }, { @@ -3266,19 +5727,20 @@ "description": "An external group was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "oauth_application_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "scim_group_id" ] }, { @@ -3286,19 +5748,22 @@ "description": "An external group was linked to a GitHub team.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "external_group_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "external_group", "programmatic_access_type", - "token_scopes" + "scim_group_id", + "request_access_security_header" ] }, { @@ -3306,19 +5771,21 @@ "description": "An external group was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "oauth_application_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -3326,31 +5793,91 @@ "description": "A user was removed from an external group.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", - "repo", + "token_id", + "token_scopes", + "external_group", + "external_group_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { "action": "external_group.scim_api_failure", "description": "Failed external group SCIM API request.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_group_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_group.scim_api_success", "description": "Successful external group SCIM API request. Excludes GET API requests.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { @@ -3358,19 +5885,19 @@ "description": "An external group was unlinked to a GitHub team.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "external_group_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "external_group" ] }, { @@ -3378,19 +5905,22 @@ "description": "An external group was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "oauth_application_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", "programmatic_access_type", - "token_scopes" + "scim_group_id", + "request_access_security_header" ] }, { @@ -3398,19 +5928,25 @@ "description": "An external group's display name was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "token_id", + "token_scopes", + "external_group_id", + "external_group", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "scim_group_id", + "request_access_security_header" ] }, { @@ -3418,19 +5954,20 @@ "description": "An external identity was deprovisioned, suspending the linked GitHub user.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "oauth_application_id", + "action", + "user_id", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -3438,31 +5975,82 @@ "description": "An external identity was created and linked to a GitHub user.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", + "request_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "user_id", "operation_type", + "@timestamp", + "created_at", + "_document_id", "programmatic_access_type", - "token_scopes" + "scim_user_id", + "request_access_security_header" ] }, { "action": "external_identity.scim_api_failure", "description": "Failed external identity SCIM API request.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_user_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_identity.scim_api_success", "description": "Successful external identity SCIM API request. Excludes GET API requests.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { @@ -3470,56 +6058,39 @@ "description": "An external identity was updated.", "docs_reference_links": "N/A", "fields": [ + "user_agent", + "request_id", + "action", + "user_id", + "operation_type", "@timestamp", + "created_at", "_document_id", - "action", + "token_scopes", + "programmatic_access_type", + "scim_user_id", + "request_access_security_header" + ] + }, + { + "action": "git.clone", + "description": "A repository was cloned.", + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" - ] - }, - { - "action": "git.clone", - "description": "A repository was cloned.", - "docs_reference_links": "N/A", - "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", + "org_id", "business", - "org", - "repo", + "business_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "user_id", + "transport_protocol_name" ] }, { @@ -3527,36 +6098,21 @@ "description": "Changes were fetched from a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", "actor", "actor_id", - "business", "org", - "repo", + "org_id", + "business", + "business_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "user_id", + "transport_protocol_name" ] }, { @@ -3564,36 +6120,20 @@ "description": "Changes were pushed to a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", "actor", "actor_id", - "business", "org", - "repo", + "org_id", + "business", + "business_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "user_id", + "transport_protocol_name" ] }, { @@ -3601,19 +6141,23 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -3621,19 +6165,21 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -3641,19 +6187,22 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -3661,19 +6210,25 @@ "description": "A hook's active status was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "programmatic_access_type" ] }, { @@ -3681,25 +6236,53 @@ "description": "A hook's configuration was changed.", "docs_reference_links": "N/A", "fields": [ + "actor_id", + "operation_type", "@timestamp", "_document_id", - "action", "actor", - "actor_id", - "business", + "name", "org", + "user_agent", + "request_id", + "hook_id", "repo", - "user", + "repo_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { @@ -3707,19 +6290,25 @@ "description": "A hook was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "events", "repo", - "user", "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" ] }, { @@ -3727,19 +6316,26 @@ "description": "A hook's configured events were changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "events", "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" ] }, { @@ -3747,19 +6343,22 @@ "description": "A GitHub App was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user", "action", + "operation_type", + "@timestamp", "actor", + "user_agent", "actor_id", - "business", - "org", - "repo", - "user", + "request_id", + "name", + "user_id", + "_document_id", + "integration", "created_at", - "operation_type", "programmatic_access_type", - "token_scopes" + "request_access_security_header", + "application_client_id" ] }, { @@ -3767,19 +6366,19 @@ "description": "A GitHub App was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "user_id", "actor_id", - "business", - "org", - "repo", + "request_id", + "@timestamp", + "name", + "integration", "user", - "created_at", + "_document_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "user_agent" ] }, { @@ -3787,85 +6386,282 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", + "name", + "integration", "business", - "org", - "repo", - "user", - "created_at", + "business_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header", + "application_client_id" ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", - "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" - }, + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], + "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" + }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation_request.close", "description": "A request to install a GitHub App was either approved or denied by an owner, or canceled by the member who opened the request.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "url", + "actor", + "actor_id", + "created_at", + "request_id", + "operation_type", + "@timestamp", + "integration", + "action", + "user_agent", + "reason", + "_document_id", + "org", + "org_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation_request.create", "description": "A member requested that an owner install a GitHub App.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "@timestamp", + "actor_id", + "org", + "_document_id", + "requester", + "action", + "user_agent", + "created_at", + "url", + "org_id", + "request_id", + "operation_type", + "actor", + "integration", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { @@ -3873,19 +6669,20 @@ "description": "A client secret for a GitHub App was removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "integration", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" ] }, { @@ -3893,19 +6690,20 @@ "description": "All user tokens for a GitHub App were requested to be revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "integration", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "application_client_id" ] }, { @@ -3913,37 +6711,93 @@ "description": "Token(s) for a GitHub App were revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "integration", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "application_client_id" ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" }, { "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { @@ -3951,19 +6805,19 @@ "description": "An IP allow list was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "operation_type", "actor", - "actor_id", - "business", + "request_id", "org", - "repo", - "user", + "user_agent", + "_document_id", + "user_id", + "actor_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id", + "action", + "@timestamp", + "user" ] }, { @@ -3971,19 +6825,19 @@ "description": "An IP allow list was disabled for installed GitHub Apps.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "business", + "business_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { @@ -3991,19 +6845,18 @@ "description": "Identity Provider based IP allow list for web interactions was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -4011,19 +6864,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4031,19 +6882,19 @@ "description": "IP allow list user level enforcement was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4051,19 +6902,21 @@ "description": "An IP allow list was enabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "org_id", + "business", + "user_id", + "request_id", + "actor", + "user", + "business_id", "_document_id", "action", - "actor", + "@timestamp", + "user_agent", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "created_at" ] }, { @@ -4071,19 +6924,19 @@ "description": "An IP allow list was enabled for installed GitHub Apps.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", + "created_at", + "user", + "user_id", "business", - "org", - "repo", - "user", - "created_at", + "business_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { @@ -4091,19 +6944,18 @@ "description": "Identity Provider based IP allow list for web interactions was enabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -4111,19 +6963,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4131,19 +6981,19 @@ "description": "IP allow list user level enforcement was enabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4151,19 +7001,24 @@ "description": "An IP address was added to an IP allow list.", "docs_reference_links": "N/A", "fields": [ + "active", + "org", + "ip_allow_list_entry", "@timestamp", "_document_id", + "operation_type", + "created_at", + "user_agent", "action", - "actor", + "request_id", "actor_id", + "business_id", + "org_id", "business", - "org", - "repo", - "user", - "created_at", - "operation_type", + "actor", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -4171,19 +7026,24 @@ "description": "An IP address was deleted from an IP allow list.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", + "request_id", + "ip_allow_list_entry", + "org", + "operation_type", + "created_at", + "active", "action", + "@timestamp", + "business", + "business_id", + "user_agent", + "org_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -4191,19 +7051,19 @@ "description": "An IP address or its description was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "request_id", "_document_id", - "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "user_agent", + "actor_id", + "ip_allow_list_entry", + "active", + "org_id", + "@timestamp" ] }, { @@ -4211,19 +7071,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4231,19 +7089,22 @@ "description": "A comment on an issue was deleted from the repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", + "org_id", "org", "repo", - "user", + "actor_id", + "@timestamp", "created_at", + "_document_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "repo_id", + "actor", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" ] }, { @@ -4251,61 +7112,183 @@ "description": "A comment on an issue (other than the initial one) changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", "repo", - "user", + "org", + "action", + "repo_id", + "org_id", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "user_agent", + "request_id", + "_document_id", + "actor_id", + "actor", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" ] }, { "action": "issue.destroy", "description": "An issue was deleted from the repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/deleting-an-issue", + "fields": [ + "user", + "actor_id", + "created_at", + "title", + "@timestamp", + "_document_id", + "request_id", + "actor", + "user_id", + "action", + "operation_type", + "user_agent", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting an issue" }, { "action": "issue.pinned", "description": "An issue was pinned to a repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository", + "fields": [ + "_document_id", + "user_agent", + "actor_id", + "created_at", + "action", + "actor", + "operation_type", + "owner_type", + "@timestamp", + "repo_id", + "request_id", + "number", + "repo", + "event", + "user", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "Pinning an issue to your repository" }, { "action": "issue.transfer", "description": "An issue was transferred to another repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/transferring-an-issue-to-another-repository", + "fields": [ + "user", + "user_id", + "@timestamp", + "user_agent", + "owner_type", + "actor_id", + "number", + "repo", + "operation_type", + "_document_id", + "repo_id", + "action", + "request_id", + "created_at", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "Transferring an issue to another repository" }, { "action": "issue.unpinned", "description": "An issue was unpinned from a repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository", + "fields": [ + "event", + "user_agent", + "actor_id", + "repo_id", + "actor", + "action", + "created_at", + "request_id", + "repo", + "operation_type", + "_document_id", + "number", + "owner_type", + "@timestamp", + "user", + "user_id", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Pinning an issue to your repository" }, { "action": "issues.deletes_disabled", "description": "The ability for enterprise members to delete issues was disabled Members cannot delete issues in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "user_agent", + "action", + "@timestamp", + "operation_type", + "request_id", + "actor_id", + "user_id", + "created_at", + "_document_id", + "actor", + "user", + "org", + "org_id" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "issues.deletes_enabled", "description": "The ability for enterprise members to delete issues was enabled Members can delete issues in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "operation_type" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "issues.deletes_policy_cleared", "description": "An enterprise owner cleared the policy setting for allowing members to delete issues in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "user", + "request_id", + "actor", + "business_id", + "action", + "operation_type", + "user_agent", + "created_at", + "@timestamp", + "_document_id", + "business", + "user_id", + "actor_id" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { @@ -4313,19 +7296,18 @@ "description": "The GitHub Marketplace Developer Agreement was signed.", "docs_reference_links": "N/A", "fields": [ + "request_id", + "actor", + "actor_id", "@timestamp", "_document_id", + "user_agent", + "operation_type", + "created_at", "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "request_access_security_header" ] }, { @@ -4333,19 +7315,21 @@ "description": "A listing was approved for inclusion in GitHub Marketplace.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "secondary_category", "actor", - "actor_id", - "business", - "org", - "repo", + "primary_category", "user", - "created_at", + "@timestamp", + "_document_id", + "user_id", + "user_agent", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" ] }, { @@ -4353,19 +7337,21 @@ "description": "A category for a listing for an app in GitHub Marketplace was changed.", "docs_reference_links": "N/A", "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", "@timestamp", - "_document_id", + "integration", + "org_id", "action", - "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "secondary_category", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "actor_id", + "_document_id" ] }, { @@ -4373,19 +7359,22 @@ "description": "A listing for an app in GitHub Marketplace was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "primary_category", "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp" ] }, { @@ -4393,19 +7382,21 @@ "description": "A listing was removed from GitHub Marketplace.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "org", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "org_id", "created_at", + "secondary_category", "operation_type", - "programmatic_access_type", - "token_scopes" + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" ] }, { @@ -4413,19 +7404,22 @@ "description": "A listing was sent back to draft state.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" ] }, { @@ -4433,61 +7427,178 @@ "description": "A listing was not accepted for inclusion in GitHub Marketplace.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "members_can_create_pages.disable", "description": "The ability for members to publish GitHub Pages sites was disabled.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_pages.enable", "description": "The ability for members to publish GitHub Pages sites was enabled.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_public_pages.disable", "description": "The ability for members to publish public GitHub Pages was disabled Members cannot publish public GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_public_pages.enable", "description": "The ability for members to publish public GitHub Pages was enabled Members can publish public GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_delete_repos.clear", "description": "An enterprise owner cleared the policy setting for deleting or transferring repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "_document_id", + "request_id", + "user", + "user_id", + "business", + "operation_type", + "user_agent", + "actor", + "actor_id", + "business_id", + "@timestamp", + "created_at", + "action" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_delete_repos.disable", "description": "The ability for enterprise members to delete repositories was disabled Members cannot delete or transfer repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "request_id", + "org", + "_document_id", + "actor_id", + "user", + "user_id", + "user_agent", + "actor", + "operation_type", + "org_id", + "action", + "@timestamp", + "created_at" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_delete_repos.enable", "description": "The ability for enterprise members to delete repositories was enabled Members can delete or transfer repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "action", + "org_id", + "user_id", + "business", + "actor_id", + "@timestamp", + "_document_id", + "request_id", + "user", + "business_id", + "created_at", + "actor", + "org", + "operation_type", + "user_agent" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { @@ -4497,29 +7608,61 @@ "fields": [ "@timestamp", "_document_id", - "action", - "actor", + "user_agent", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "business", + "business_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "actor", + "action", + "operation_type" ] }, { "action": "members_can_view_dependency_insights.disable", "description": "The ability for enterprise members to view dependency insights was disabled. Members cannot view dependency insights in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-dependency-insights-in-your-enterprise", + "fields": [ + "business", + "created_at", + "user_id", + "business_id", + "user", + "org", + "operation_type", + "request_id", + "actor", + "_document_id", + "action", + "user_agent", + "actor_id", + "org_id", + "@timestamp" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "members_can_view_dependency_insights.enable", "description": "The ability for enterprise members to view dependency insights was enabled. Members can view dependency insights in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-dependency-insights-in-your-enterprise", + "fields": [ + "request_id", + "created_at", + "_document_id", + "user_agent", + "user", + "user_id", + "business", + "business_id", + "operation_type", + "@timestamp", + "action", + "actor", + "actor_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { @@ -4527,19 +7670,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -4547,19 +7690,23 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4567,19 +7714,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4587,19 +7733,20 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4607,19 +7754,14 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "user", "@timestamp", "_document_id", + "user_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_access_security_header" ] }, { @@ -4627,19 +7769,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" ] }, { @@ -4647,19 +7789,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", + "action", "org", - "repo", - "user", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" ] }, { @@ -4667,19 +7808,23 @@ "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "repo", + "org_id", "_document_id", + "org", + "repo_id", "action", "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -4687,19 +7832,16 @@ "description": "A migration file for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance was deleted.", "docs_reference_links": "N/A", "fields": [ + "org", "@timestamp", - "_document_id", + "org_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "repo", + "_document_id", + "repo_id", + "request_access_security_header" ] }, { @@ -4707,97 +7849,309 @@ "description": "A migration file for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance was downloaded.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", + "org_id", + "request_id", + "oauth_application_id", + "repo_id", + "operation_type", + "@timestamp", + "user_agent", + "created_at", "org", + "action", + "_document_id", "repo", - "user", - "created_at", - "operation_type", + "actor", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { "action": "network_configuration.create", "description": "A network configuration for a hosted compute service was created.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "selected_service", + "network_settings_ids", + "previous_settings_ids", + "network_configuration_id" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "network_configuration.delete", "description": "A network configuration for a hosted compute service was deleted.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "network_configuration_id" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "network_configuration.update", "description": "A network configuration for a hosted compute service was updated.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "selected_service", + "network_settings_ids", + "previous_settings_ids" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.generate_client_secret", "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "org.accept_business_invitation", "description": "An invitation sent to an organization to join an enterprise was accepted.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.add_billing_manager", "description": "A billing manager was added to an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization", + "fields": [ + "operation_type", + "_document_id", + "user_agent", + "org", + "user_id", + "action", + "created_at", + "org_id", + "user", + "actor", + "actor_id", + "@timestamp", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization" }, { @@ -4805,19 +8159,22 @@ "description": "A user joined an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "permission", "_document_id", - "action", - "actor", - "actor_id", - "business", "org", - "repo", + "operation_type", + "request_id", + "actor", "user", + "@timestamp", "created_at", - "operation_type", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -4825,19 +8182,24 @@ "description": "An outside collaborator was added to a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "inviter", "org", + "org_id", "repo", - "user", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -4845,19 +8207,21 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "org_id", "org", - "repo", - "user", + "team", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "programmatic_access_type" ] }, { @@ -4865,18 +8229,19 @@ "description": "GitHub Advanced Security was disabled for new repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", "token_scopes" ] }, @@ -4885,18 +8250,21 @@ "description": "GitHub Advanced Security was disabled for all repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", "token_scopes" ] }, @@ -4905,18 +8273,19 @@ "description": "GitHub Advanced Security was enabled for new repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", "token_scopes" ] }, @@ -4925,18 +8294,21 @@ "description": "GitHub Advanced Security was enabled for all repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", "token_scopes" ] }, @@ -4944,30 +8316,109 @@ "action": "org.advanced_security_entity_policy_update", "description": "An enterprise owner updated the GitHub Advanced Security access policy for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "new_policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_disabled", "description": "An enterprise owner prevented GitHub Advanced Security features from being enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_enabled", "description": "An enterprise owner allowed GitHub Advanced Security features to be enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", - "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" - }, - { - "action": "org.audit_log_export", - "description": "An export of the organization audit log was created. If the export included a query, the log will list the query used and the number of audit log entries matching that query.", - "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log", - "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log" + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], + "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" + }, + { + "action": "org.audit_log_export", + "description": "An export of the organization audit log was created. If the export included a query, the log will list the query used and the number of audit log entries matching that query.", + "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log", + "fields": [ + "org_id", + "operation_type", + "@timestamp", + "request_id", + "_document_id", + "actor", + "org", + "action", + "created_at", + "user_agent", + "actor_id" + ], + "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log" }, { "action": "org.audit_log_git_event_export", "description": "An export of the organization's Git events was created.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "start", + "end", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization" }, { @@ -4975,31 +8426,59 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "created_at", + "request_id", + "user_agent", + "action", "@timestamp", + "actor_id", + "org_id", "_document_id", - "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "org.block_user", "description": "An organization owner blocked a user from accessing the organization's repositories.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization", + "fields": [ + "actor", + "user_agent", + "org_id", + "created_at", + "_document_id", + "blocked_user", + "action", + "operation_type", + "actor_id", + "org", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization" }, { "action": "org.cancel_business_invitation", "description": "An invitation for an organization to join an enterprise was revoked", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "initiated_from" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { @@ -5007,19 +8486,22 @@ "description": "An invitation sent to a user to join an organization was revoked.", "docs_reference_links": "N/A", "fields": [ + "actor_id", + "org_id", + "request_id", + "email", "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", + "action", + "operation_type", + "user_agent", "org", - "repo", - "user", + "invitation_id", + "_document_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "invitee_email", + "token_scopes", + "programmatic_access_type" ] }, { @@ -5027,19 +8509,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" ] }, { @@ -5047,19 +8529,23 @@ "description": "Autofix for code scanning alerts was disabled for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -5067,19 +8553,21 @@ "description": "Autofix for code scanning alerts was enabled for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -5087,19 +8575,23 @@ "description": "Autofix for third party tools for code scanning alerts was disabled for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -5107,43 +8599,114 @@ "description": "Autofix for third party tools for code scanning alerts was enabled for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "org.codeql_disabled", "description": "Code scanning using the default setup was disabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codeql_enabled", "description": "Code scanning using the default setup was enabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codespaces_access_updated", "description": "Access to use Codespaces on internal and private repositories was updated for an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/enabling-or-disabling-github-codespaces-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enablement", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/enabling-or-disabling-github-codespaces-for-your-organization" }, { "action": "org.codespaces_ownership_updated", "description": "Ownership and payment for codespaces was updated for an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner_type", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization" }, { @@ -5151,19 +8714,18 @@ "description": "A team has been allowed to use Codespaces for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "team", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -5171,31 +8733,58 @@ "description": "A team has been prevented from using Codespaces for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "team", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "org.codespaces_trusted_repo_access_granted", "description": "GitHub Codespaces was granted trusted repository access to all other repositories in an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "org.codespaces_trusted_repo_access_revoked", "description": "GitHub Codespaces trusted repository access to all other repositories in an organization was revoked.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { @@ -5203,19 +8792,21 @@ "description": "A user has been allowed to use Codespaces for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -5223,55 +8814,135 @@ "description": "A user has been prevented from using Codespaces for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { "action": "org.config.disable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", - "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" - }, - { - "action": "org.config.disable_contributors_only", - "description": "The interaction limit for prior contributors only for an organization was disabled.", + "fields": [ + "request_id", + "org", + "action", + "operation_type", + "_document_id", + "actor", + "actor_id", + "@timestamp", + "user_agent", + "org_id", + "created_at" + ], + "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" + }, + { + "action": "org.config.disable_contributors_only", + "description": "The interaction limit for prior contributors only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "operation_type", + "@timestamp", + "created_at", + "user_agent", + "action", + "actor_id", + "org", + "_document_id", + "actor", + "org_id", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "_document_id", + "operation_type", + "actor_id", + "org_id", + "action", + "created_at", + "actor", + "org", + "@timestamp", + "user_agent", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "actor", + "org", + "org_id", + "request_id", + "operation_type", + "action", + "user_agent" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor", + "actor_id", + "org_id", + "action", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "org", + "created_at", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor_id", + "request_id", + "action", + "created_at", + "user_agent", + "actor", + "_document_id", + "org_id", + "operation_type", + "org", + "@timestamp" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { @@ -5279,43 +8950,107 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", + "token_id", + "token_scopes", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "org.confirm_business_invitation", "description": "An invitation for an organization to join an enterprise was confirmed.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.create", "description": "An organization was created.", "docs_reference_links": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch", + "fields": [ + "request_id", + "org", + "actor_id", + "actor", + "action", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "org_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch" }, { "action": "org.create_actions_secret", "description": "A GitHub Actions secret was created for an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.create_actions_variable", "description": "A GitHub Actions variable was created for an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -5323,18 +9058,20 @@ "description": "A Codespaces or Dependabot secret was created for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "key", + "visibility", + "integration", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", "token_scopes" ] }, @@ -5342,18 +9079,90 @@ "action": "org_credential_authorization.deauthorize", "description": "A member removed the SSO (SAML or OIDC) authorization from a credential that had access to your organization.", "docs_reference_links": "/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor_id", + "org_id", + "business", + "action", + "@timestamp", + "org", + "_document_id", + "business_id", + "actor", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "oauth_credential_type", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Authorizing a personal access token for use with single sign-on" }, { "action": "org_credential_authorization.grant", "description": "A member authorized credentials for use with SAML or OIDC single sign-on.", "docs_reference_links": "/authentication/authenticating-with-saml-single-sign-on", + "fields": [ + "user_agent", + "actor", + "@timestamp", + "created_at", + "org_id", + "business_id", + "operation_type", + "request_id", + "_document_id", + "action", + "actor_id", + "business", + "org", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "oauth_credential_type", + "request_access_security_header", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Authenticating with single sign-on" }, { "action": "org_credential_authorization.revoke", "description": "An owner revoked authorized credentials.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization", + "fields": [ + "actor", + "org", + "@timestamp", + "owner", + "oauth_application_id", + "org_id", + "operation_type", + "action", + "business", + "request_id", + "created_at", + "business_id", + "actor_id", + "_document_id", + "user_agent", + "oauth_credential_type", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { @@ -5361,37 +9170,80 @@ "description": "An organization was deleted by a user or staff.", "docs_reference_links": "N/A", "fields": [ + "user_agent", "@timestamp", "_document_id", - "action", + "created_at", "actor", - "actor_id", - "business", + "org_id", "org", - "repo", - "user", - "created_at", + "action", + "actor_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "request_access_security_header" ] }, { "action": "org.disable_member_team_creation_permission", "description": "Team creation was limited to owners.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "actor", + "@timestamp", + "_document_id", + "user", + "user_id", + "action", + "created_at", + "actor_id", + "user_agent", + "org", + "org_id", + "operation_type", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.disable_oauth_app_restrictions", "description": "Third-party application access restrictions for an organization were disabled.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "fields": [ + "actor_id", + "org_id", + "action", + "_document_id", + "request_id", + "@timestamp", + "actor", + "org", + "operation_type", + "user_agent", + "created_at" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization" }, { "action": "org.disable_reader_discussion_creation_permission", "description": "An organization owner limited discussion creation to users with at least triage permission in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { @@ -5399,19 +9251,15 @@ "description": "SAML single sign-on was disabled for an organization.", "docs_reference_links": "N/A", "fields": [ + "org_id", + "sso_url", + "issuer", + "action", "@timestamp", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "operation_type" ] }, { @@ -5419,19 +9267,17 @@ "description": "A two-factor authentication requirement was disabled for the organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "created_at", + "org", + "org_id", "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "@timestamp", + "_document_id", + "user_agent" ] }, { @@ -5439,19 +9285,19 @@ "description": "An organization owner disabled the display of a commenter's full name in an organization. Members cannot see a comment author's full name.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", + "user_id", "user", - "created_at", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "created_at", + "user_agent", + "org", + "actor_id", + "org_id", + "request_id" ] }, { @@ -5459,49 +9305,120 @@ "description": "An organization owner enabled the display of a commenter's full name in an organization. Members can see a comment author's full name.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "org", + "user_agent", + "request_id", + "actor", "_document_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "user", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id" ] }, { "action": "org.enable_member_team_creation_permission", "description": "Team creation by members was allowed.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", - "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" - }, + "fields": [ + "org_id", + "user", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "user_agent", + "actor_id", + "org", + "request_id", + "action", + "@timestamp" + ], + "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" + }, { "action": "org.enable_oauth_app_restrictions", "description": "Third-party application access restrictions for an organization were enabled.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization", + "fields": [ + "actor_id", + "operation_type", + "org", + "created_at", + "_document_id", + "actor", + "org_id", + "action", + "user_agent", + "request_id", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization" }, { "action": "org.enable_reader_discussion_creation_permission", "description": "An organization owner allowed users with read access to create discussions in an organization", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.enable_saml", "description": "SAML single sign-on was enabled for the organization.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization", + "fields": [ + "actor_id", + "action", + "operation_type", + "actor", + "sso_url", + "org", + "created_at", + "@timestamp", + "issuer", + "org_id", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Enabling and testing SAML single sign-on for your organization" }, { "action": "org.enable_two_factor_requirement", "description": "Two-factor authentication is now required for the organization.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "actor_id", + "action", + "_document_id", + "org", + "@timestamp", + "actor", + "user_agent", + "org_id", + "operation_type", + "created_at", + "request_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { @@ -5509,19 +9426,18 @@ "description": "An organization owner granted a member access to manage all GitHub Apps owned by an organization.", "docs_reference_links": "N/A", "fields": [ + "user_agent", + "org_id", + "manager", "@timestamp", - "_document_id", - "action", + "request_id", "actor", + "operation_type", + "_document_id", "actor_id", - "business", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "created_at" ] }, { @@ -5529,25 +9445,43 @@ "description": "An organization owner removed access to manage all GitHub Apps owned by an organization from an organization member.", "docs_reference_links": "N/A", "fields": [ + "org_id", "@timestamp", - "_document_id", + "org", + "user_agent", + "request_id", "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "manager", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "_document_id" ] }, { "action": "org.invite_member", "description": "A new user was invited to join an organization.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization", + "fields": [ + "org", + "user_id", + "invitation_id", + "org_id", + "user", + "action", + "operation_type", + "_document_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "actor_id", + "request_id", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization" }, { @@ -5555,19 +9489,19 @@ "description": "An organization was invited to join an enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -5575,19 +9509,19 @@ "description": "The ability for enterprise members to update protected branches was disabled. Only enterprise owners can update protected branches.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", + "org_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -5595,25 +9529,41 @@ "description": "The ability for enterprise members to update protected branches was enabled. Members of an organization can update protected branches.", "docs_reference_links": "N/A", "fields": [ + "org", + "org_id", + "user_agent", + "actor_id", + "user_id", + "operation_type", "@timestamp", + "created_at", + "request_id", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action" ] }, { "action": "org.oauth_app_access_approved", "description": "Access to an organization was granted for an OAuth App.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization", + "fields": [ + "url", + "actor", + "user_agent", + "request_id", + "actor_id", + "operation_type", + "org_id", + "_document_id", + "org", + "action", + "created_at", + "@timestamp", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization" }, { @@ -5621,25 +9571,41 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "url", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { "action": "org.oauth_app_access_denied", "description": "Access was disabled for an OAuth App that was previously approved.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization", + "fields": [ + "request_id", + "url", + "created_at", + "org_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "org", + "operation_type", + "actor", + "actor_id", + "oauth_application_name" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization" }, { @@ -5647,19 +9613,20 @@ "description": "An organization member requested that an owner grant an OAuth App access to an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "operation_type", + "created_at", + "user_agent", "actor_id", - "business", + "_document_id", + "request_id", + "url", + "org_id", + "action", + "@timestamp", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header", + "oauth_application_name" ] }, { @@ -5667,19 +9634,20 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "url", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -5688,78 +9656,231 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", - "_document_id", + "created_at", + "request_id", + "org_id", "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "user_agent", "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "org" ] }, { "action": "org.recovery_code_failed", "description": "An organization owner failed to sign into a organization with an external identity provider (IdP) using a recovery code.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "reason", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing your organization if your identity provider is unavailable" }, { "action": "org.recovery_code_used", "description": "An organization owner successfully signed into an organization with an external identity provider (IdP) using a recovery code.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Accessing your organization if your identity provider is unavailable" }, { "action": "org.recovery_codes_downloaded", "description": "An organization owner downloaded the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_generated", "description": "An organization owner generated the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_printed", "description": "An organization owner printed the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_viewed", "description": "An organization owner viewed the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization", + "fields": [ + "actor", + "operation_type", + "@timestamp", + "_document_id", + "request_id", + "org", + "org_id", + "action", + "created_at", + "user_agent", + "actor_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "org.remove_actions_secret", "description": "A GitHub Actions secret was removed from an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", - "docs_reference_titles": "Using secrets in GitHub Actions" - }, - { - "action": "org.remove_actions_variable", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], + "docs_reference_titles": "Using secrets in GitHub Actions" + }, + { + "action": "org.remove_actions_variable", "description": "A GitHub Actions variable was removed from an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "org.remove_billing_manager", "description": "A billing manager was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "user_id", + "user_agent", + "org_id", + "user", + "action", + "_document_id", + "operation_type", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "created_at" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { @@ -5767,18 +9888,21 @@ "description": "A Codespaces or Dependabot secret was removed from an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "key", + "integration", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", "token_scopes" ] }, @@ -5787,19 +9911,21 @@ "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", - "action", - "actor", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", "created_at", + "user", "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id", + "org", + "token_scopes", + "programmatic_access_type" ] }, { @@ -5807,19 +9933,21 @@ "description": "An outside collaborator was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", "org", - "repo", "user", + "org_id", "created_at", + "request_id", + "@timestamp", + "action", "operation_type", + "user_agent", + "_document_id", + "actor", + "actor_id", + "user_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5827,25 +9955,41 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "org_id", "org", - "repo", - "user", + "team", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "programmatic_access_type" ] }, { "action": "org.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization", + "fields": [ + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor_id", + "org", + "created_at", + "actor", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { @@ -5853,139 +9997,472 @@ "description": "An organization was renamed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user_agent", "_document_id", + "@timestamp", + "org", "action", "actor", + "old_login", + "org_id", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_access_security_header" ] }, { "action": "org.required_workflow_create", "description": "Triggered when a required workflow is created.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.required_workflow_delete", "description": "Triggered when a required workflow is deleted.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.required_workflow_update", "description": "Triggered when a required workflow is updated.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.restore_member", "description": "An organization member was restored.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization", + "fields": [ + "user", + "actor", + "user_id", + "_document_id", + "action", + "created_at", + "org_id", + "operation_type", + "request_id", + "@timestamp", + "user_agent", + "org", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization" }, { "action": "org.runner_group_created", "description": "A self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_removed", "description": "A self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_renamed", "description": "A self-hosted runner group was renamed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runner_removed", "description": "The REST API was used to remove a self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "org.runner_group_runners_added", "description": "A self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runners_updated", "description": "A runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "org.runner_group_updated", "description": "The configuration of a self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_visiblity_updated", "description": "The visibility of a self-hosted runner group was updated via the REST API.", "docs_reference_links": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "visibility", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", - "docs_reference_titles": "Defining custom patterns for secret scanning" - }, - { - "action": "org_secret_scanning_custom_pattern.delete", - "description": "A custom pattern was removed from secret scanning in an organization.", - "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", - "docs_reference_titles": "Defining custom patterns for secret scanning" + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], + "docs_reference_titles": "Defining custom patterns for secret scanning" + }, + { + "action": "org_secret_scanning_custom_pattern.delete", + "description": "A custom pattern was removed from secret scanning in an organization.", + "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], + "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { @@ -5993,19 +10470,22 @@ "description": "Generic secrets have been disabled at the organization level", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -6013,145 +10493,485 @@ "description": "Generic secrets have been enabled at the organization level", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { "action": "org_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_disabled", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_enabled", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_updated", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_disable", "description": "Push protection for secret scanning was disabled.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_enable", "description": "Push protection for secret scanning was enabled.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_disable", "description": "Push protection for secret scanning was disabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_enable", "description": "Push protection for secret scanning was enabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed", "description": "The push protection setting was changed for a secret type for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "secret_type", + "secret_type_display_name", + "push_protection_setting" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", - "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" - }, - { - "action": "org.self_hosted_runner_offline", - "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], + "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" + }, + { + "action": "org.self_hosted_runner_offline", + "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "org_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { @@ -6159,37 +10979,77 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user_agent", "_document_id", - "action", + "org_id", + "operation_type", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "@timestamp", + "request_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "action" ] }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { @@ -6197,55 +11057,158 @@ "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", + "user_agent", "actor", "actor_id", - "business", + "org_id", + "@timestamp", "org", - "repo", - "user", - "created_at", + "issuer", + "business", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_id", + "business_id", + "_document_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "org.transfer", "description": "An organization was transferred between enterprise accounts.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "from_business", + "to_business", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.transfer_outgoing", "description": "An organization was transferred between enterprise accounts.", "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "business", + "business_id", + "from_business", + "to_business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.unblock_user", "description": "A user was unblocked from an organization.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization", + "fields": [ + "oauth_application_id", + "_document_id", + "blocked_user", + "action", + "operation_type", + "@timestamp", + "request_id", + "created_at", + "actor", + "actor_id", + "org", + "org_id", + "user_agent" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization" }, { "action": "org.update_actions_secret", "description": "A GitHub Actions secret was updated for an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "created_at", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.update_actions_settings", "description": "An organization owner or site administrator updated GitHub Actions policy settings for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "updated_allowed_types", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization" }, { "action": "org.update_actions_variable", "description": "A GitHub Actions variable was updated for an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -6253,19 +11216,20 @@ "description": "The default repository permission level for organization members was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "org", + "org_id", + "request_id", + "@timestamp", + "user_agent", + "permission", + "actor_id", + "old_permission", + "_document_id", + "programmatic_access_type" ] }, { @@ -6273,19 +11237,22 @@ "description": "A Codespaces or Dependabot secret was updated for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "key", + "visibility", + "integration", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -6294,18 +11261,20 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", + "org_id", + "created_at", "_document_id", + "user", + "user_id", "action", - "actor", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "old_permission", + "permission", + "actor", + "user_agent", "operation_type", - "programmatic_access_type", - "token_scopes" + "org" ] }, { @@ -6313,31 +11282,60 @@ "description": "The create repository permission for organization members was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "action", + "@timestamp", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", + "permission", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "org.update_new_repository_default_branch_setting", "description": "The name of the default branch was changed for new repositories in the organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization" }, { @@ -6345,67 +11343,173 @@ "description": "An organization's SAML provider settings were updated.", "docs_reference_links": "N/A", "fields": [ + "user_agent", + "sso_url", + "actor_id", + "operation_type", "@timestamp", + "issuer", + "org", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", - "user", + "org_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "action" ] }, { "action": "org.update_terms_of_service", "description": "An organization changed between the Standard Terms of Service and the GitHub Customer Agreement.", "docs_reference_links": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement", - "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement" + "fields": [ + "request_id", + "org_id", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org", + "action", + "@timestamp", + "created_at", + "request_access_security_header" + ], + "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement" }, { "action": "organization_default_label.create", "description": "A default label was created for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#creating-a-default-label", + "fields": [ + "request_id", + "actor_id", + "actor", + "org", + "org_id", + "operation_type", + "_document_id", + "action", + "created_at", + "@timestamp", + "user_agent", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#creating-a-default-label" }, { "action": "organization_default_label.destroy", "description": "A default label was deleted for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#deleting-a-default-label", + "fields": [ + "operation_type", + "request_id", + "actor", + "@timestamp", + "_document_id", + "actor_id", + "org_id", + "org", + "action", + "created_at", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#deleting-a-default-label" }, { "action": "organization_default_label.update", "description": "A default label was edited for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#editing-a-default-label", + "fields": [ + "org", + "created_at", + "@timestamp", + "actor", + "action", + "user_agent", + "actor_id", + "org_id", + "operation_type", + "request_id", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#editing-a-default-label" }, { "action": "organization_domain.approve", "description": "A domain was approved for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization" }, { "action": "organization_domain.create", "description": "A domain was added to an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "created_at", + "_document_id", + "domain_name", + "action", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "user_agent", + "actor" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "organization_domain.destroy", "description": "A domain was removed from an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain", + "fields": [ + "action", + "domain_name", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "created_at" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain" }, { "action": "organization_domain.verify", "description": "A domain was verified for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "operation_type", + "domain_name", + "@timestamp", + "user_agent", + "request_id", + "actor", + "action", + "created_at", + "_document_id", + "actor_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { @@ -6413,19 +11517,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "team", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -6433,19 +11536,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -6453,19 +11556,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "team", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -6473,67 +11575,222 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "programmatic_access_type" ] }, { "action": "organization_projects_change.clear", "description": "An enterprise owner cleared the policy setting for organization-wide project boards in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "actor", + "business_id", + "@timestamp", + "actor_id", + "user", + "user_id", + "action", + "user_agent", + "_document_id", + "created_at", + "operation_type", + "request_id", + "business" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_projects_change.disable", "description": "Organization projects were disabled for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "org_id", + "action", + "user", + "org", + "created_at", + "user_agent", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "actor", + "user_id", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_projects_change.enable", "description": "Organization projects were enabled for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "actor_id", + "org_id", + "created_at", + "user_id", + "org", + "@timestamp", + "_document_id", + "user_agent", + "actor", + "request_id", + "user", + "action", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_role.assign", "description": "An organization role was assigned to a user or team.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "organization_role_id", + "organization_role_name", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.create", "description": "A custom organization role was created in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.destroy", "description": "A custom organization role was deleted in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.revoke", "description": "A user or team was unassigned an organization role.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "organization_role_id", + "organization_role_name", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.update", "description": "A custom organization role was edited in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "old_role_permissions", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "old_base_role" + ], "docs_reference_titles": "About custom organization roles" }, { @@ -6541,25 +11798,45 @@ "description": "An organization's default project base role was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "old_project_base_role", + "new_project_base_role", "business", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { "action": "packages.package_deleted", "description": "An entire package was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { @@ -6567,25 +11844,49 @@ "description": "A package was published or republished to an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", + "actor", "org", + "org_id", "repo", - "user", - "created_at", + "repo_id", + "package", + "ecosystem", + "version_count", + "is_republished", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" ] }, { "action": "packages.package_version_deleted", "description": "A specific package version was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "version", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "ecosystem", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { @@ -6593,37 +11894,87 @@ "description": "A specific package version was published or republished to a package.", "docs_reference_links": "N/A", "fields": [ + "org_id", + "ecosystem", + "package", + "version", + "actor_id", + "user_agent", + "is_republished", + "actor", + "action", + "operation_type", "@timestamp", + "created_at", "_document_id", - "action", - "actor", - "actor_id", "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "business_id", + "actor_is_bot" ] }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { @@ -6631,19 +11982,18 @@ "description": "A new payment method was added, such as a new credit card or PayPal account.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", "_document_id", "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -6651,19 +12001,16 @@ "description": "A payment method was removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "_document_id", + "request_access_security_header" ] }, { @@ -6671,25 +12018,40 @@ "description": "An existing payment method was updated.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", "@timestamp", - "_document_id", "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "_document_id", + "request_access_security_header" ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { @@ -6697,19 +12059,22 @@ "description": "The configured restriction for access to resources via personal access tokens was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "programmatic_access_type", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -6717,19 +12082,22 @@ "description": "The configured restriction for access to resources via personal access tokens was enabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "programmatic_access_type", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -6737,25 +12105,43 @@ "description": "The configured restriction for access to resources via personal access tokens was reset and delegated to organizations.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "programmatic_access_type", "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { @@ -6763,19 +12149,21 @@ "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "request_access_security_header", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -6783,19 +12171,21 @@ "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "request_access_security_header", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -6803,19 +12193,21 @@ "description": "Triggered when the enterprise delegates to the organizations when to require approval for fine-grained personal access tokens before the tokens can access organization resources.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "request_access_security_header", "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -6823,19 +12215,23 @@ "description": "A personal access token expiration limit was set.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "token_expiration", + "old_token_expiration", + "exempt_administrators", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -6843,19 +12239,21 @@ "description": "A personal access token expiration limit was unset.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "old_token_expiration", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -6863,75 +12261,183 @@ "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "user_programmatic_access_name", "org", - "repo", - "user", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_programmatic_access_request_id" ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "prebuild_configuration.create", "description": "A GitHub Codespaces prebuild configuration for a repository was created.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.destroy", "description": "A GitHub Codespaces prebuild configuration for a repository was deleted.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.run_triggered", "description": "A user initiated a run of a GitHub Codespaces prebuild configuration for a repository branch.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.update", "description": "A GitHub Codespaces prebuild configuration for a repository was edited.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", - "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" - }, - { - "action": "premium_runner.create", - "description": "N/A", - "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "branch", + "repository", + "repository_id", "org", - "repo", + "org_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "public_repo" + ], + "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" + }, + { + "action": "premium_runner.create", + "description": "N/A", + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" ] }, { @@ -6939,19 +12445,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -6959,19 +12465,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -6979,19 +12483,19 @@ "description": "An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", + "user_id", "action", - "actor", + "operation_type", + "@timestamp", + "business_id", "actor_id", - "business", - "org", - "repo", "user", + "business", + "request_id", + "actor", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id" ] }, { @@ -6999,19 +12503,23 @@ "description": "An enterprise owner disabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are never allowed to be forked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "repo_id", + "created_at", + "actor_id", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "repo", + "action", + "user_agent", + "@timestamp", + "org", "operation_type", + "request_id", + "user_id", + "org_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -7019,19 +12527,23 @@ "description": "An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "actor_id", + "user_id", + "operation_type", "_document_id", "action", - "actor", - "actor_id", - "business", - "org", + "@timestamp", "repo", + "org", + "business", + "user_agent", + "request_id", + "actor", + "repo_id", "user", + "org_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "business_id" ] }, { @@ -7039,19 +12551,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -7059,19 +12571,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -7079,19 +12591,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -7099,25 +12611,39 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { @@ -7125,19 +12651,17 @@ "description": "A project board visibility was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", + "actor", + "user_agent", + "operation_type", "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" ] }, { @@ -7145,25 +12669,48 @@ "description": "A project's base role was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "old_project_base_role", + "new_project_base_role", + "project_number", + "public_project", "business", + "project_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { @@ -7171,19 +12718,25 @@ "description": "A collaborator was added to a project.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "collaborator_type", "org", - "repo", - "user", + "org_id", + "collaborator", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "public_project", + "project_name", + "project_role", + "old_project_role", + "request_access_security_header" ] }, { @@ -7191,19 +12744,20 @@ "description": "A collaborator was removed from a project.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "collaborator_type", "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -7211,19 +12765,25 @@ "description": "A project collaborator's permission level was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "public_project", + "project_name", + "collaborator_type", + "project_role", + "old_project_role", + "project_id", "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -7231,19 +12791,17 @@ "description": "A project board was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "operation_type", + "user", "_document_id", - "action", - "actor", + "request_id", + "user_id", + "user_agent", + "@timestamp", "actor_id", - "business", - "org", - "repo", - "user", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "actor" ] }, { @@ -7251,57 +12809,99 @@ "description": "A project board was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "request_id", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", - "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" - }, - { - "action": "project_field.delete", - "description": "A field was deleted in a project board.", - "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", - "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" - }, + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], + "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" + }, + { + "action": "project_field.delete", + "description": "A field was deleted in a project board.", + "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], + "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" + }, { "action": "project.link", "description": "A repository was linked to a project board.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "repo_id", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "org_id", + "user_agent", + "request_id", + "actor", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { @@ -7309,19 +12909,22 @@ "description": "A project board was renamed.", "docs_reference_links": "N/A", "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", "@timestamp", + "repo", "_document_id", - "action", + "user_agent", + "org_id", + "business_id", "actor", - "actor_id", - "business", + "repo_id", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "business" ] }, { @@ -7329,19 +12932,19 @@ "description": "A repository was unlinked from a project board.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "repo", + "repo_id", + "operation_type", "actor", + "action", + "created_at", "actor_id", - "business", + "_document_id", + "request_id", + "@timestamp", + "user_agent", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id" ] }, { @@ -7349,19 +12952,17 @@ "description": "The project's base-level permission for all organization members was changed or removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "@timestamp", + "_document_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" ] }, { @@ -7369,19 +12970,18 @@ "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "org_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" ] }, { @@ -7389,31 +12989,60 @@ "description": "A user was added to or removed from a project board or had their permission level changed.", "docs_reference_links": "N/A", "fields": [ + "request_id", + "user_id", + "operation_type", "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_agent", + "actor", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { @@ -7421,19 +13050,20 @@ "description": "A project's visibility was changed from public to private.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "project_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "project_kind", + "project_name" ] }, { @@ -7441,25 +13071,45 @@ "description": "A project's visibility was changed from private to public.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "project_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "project_kind", + "project_name", + "request_access_security_header" ] }, { "action": "protected_branch.authorized_users_teams", "description": "The users, teams, or integrations allowed to bypass a branch protection were changed.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "fields": [ + "repo", + "action", + "org_id", + "user_agent", + "name", + "created_at", + "_document_id", + "operation_type", + "actor", + "repo_id", + "org", + "request_id", + "actor_id", + "oauth_application_id", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches" }, { @@ -7467,19 +13117,29 @@ "description": "A protected branch allowance was given to a specific user, team or integration.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", + "name", + "authorized_actors", + "policy", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -7487,19 +13147,27 @@ "description": "Branch protection was enabled on a branch.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "repo_id", + "user_id", "@timestamp", + "user_agent", + "repo", + "name", + "org_id", + "user", "_document_id", - "action", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "authorized_actor_names", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" ] }, { @@ -7507,19 +13175,24 @@ "description": "Branch protection was disabled on a branch.", "docs_reference_links": "N/A", "fields": [ + "name", + "repo", "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "actor_id", + "request_id", + "repo_id", + "org_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "user_agent", + "created_at", + "_document_id", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" ] }, { @@ -7527,19 +13200,22 @@ "description": "Enforcement of dismissing stale pull requests was updated on a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", + "dismiss_stale_reviews_on_push", + "org_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "request_id", + "_document_id", + "@timestamp", + "actor_id", + "repo_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "repo", + "org", + "name", + "programmatic_access_type" ] }, { @@ -7547,19 +13223,24 @@ "description": "Enforcement of restricting users and/or teams who can dismiss reviews was updated on a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "repo", + "repo_id", "actor", + "oauth_application_id", + "authorized_actors_only", + "authorized_actors", + "created_at", + "user_agent", + "name", + "_document_id", + "org_id", + "request_id", + "@timestamp", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "programmatic_access_type" ] }, { @@ -7567,19 +13248,32 @@ "description": "A branch protection requirement was overridden by a repository administrator.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "repo_id", + "created_at", "actor", + "reasons", + "@timestamp", + "before", + "after", "actor_id", - "business", - "org", "repo", - "user", - "created_at", "operation_type", + "user_agent", + "branch", + "overridden_codes", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "referrer", + "business", + "business_id", + "deploy_key_fingerprint", + "token_scopes", "programmatic_access_type", - "token_scopes" + "compliant_pull_request_ids", + "rule_suite_id" ] }, { @@ -7587,19 +13281,31 @@ "description": "A branch update attempt was rejected.", "docs_reference_links": "N/A", "fields": [ + "repo", + "org", "@timestamp", + "created_at", "_document_id", - "action", - "actor", - "actor_id", "business", - "org", - "repo", - "user", - "created_at", + "org_id", "operation_type", + "request_id", + "repo_id", + "actor", + "branch", + "before", + "overridden_codes", + "after", + "action", + "reasons", + "actor_id", + "business_id", + "deploy_key_fingerprint", + "token_scopes", "programmatic_access_type", - "token_scopes" + "compliant_pull_request_ids", + "actor_is_bot", + "rule_suite_id" ] }, { @@ -7607,19 +13313,23 @@ "description": "Branch protection was enforced for repository administrators.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "request_id", "actor_id", - "business", + "admin_enforced", + "operation_type", + "user_agent", + "actor", "org", + "name", "repo", - "user", + "@timestamp", + "action", + "repo_id", + "org_id", + "_document_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "programmatic_access_type" ] }, { @@ -7627,43 +13337,126 @@ "description": "Force pushes were enabled or disabled for a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "org_id", + "actor_id", + "name", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "allow_force_pushes_enforcement_level", + "@timestamp", + "org", + "action", + "created_at", + "user_agent", + "repo_id", + "token_scopes", + "programmatic_access_type" ] }, { "action": "protected_branch.update_ignore_approvals_from_contributors", "description": "Ignoring of approvals from contributors to a pull request was enabled or disabled for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "ignore_approvals_from_contributors", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "protected_branch.update_lock_allows_fetch_and_merge", "description": "Fork syncing was enabled or disabled for a read-only branch", "docs_reference_links": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "lock_allows_fetch_and_merge", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_lock_branch_enforcement_level", "description": "The enforcement of a branch lock was updated.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "enforcement_level", + "lock_branch_enforcement_level", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { @@ -7671,19 +13464,24 @@ "description": "A branch name pattern was updated for a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "name", + "old_name", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -7691,19 +13489,25 @@ "description": "Enforcement of required pull request reviews was updated for a branch. Can be 0 (deactivated), 1 (non-admins), or 2 (everyone).", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "name", + "org_id", "_document_id", - "action", - "actor", "actor_id", - "business", + "@timestamp", + "business_id", + "request_id", + "pull_request_reviews_enforcement_level", "org", "repo", - "user", + "action", + "business", + "user_agent", "created_at", + "repo_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "token_scopes", + "programmatic_access_type" ] }, { @@ -7711,25 +13515,46 @@ "description": "Enforcement of required code owner review was updated for a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "org_id", + "created_at", + "require_code_owner_review", + "operation_type", + "name", + "user_agent", "action", + "@timestamp", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "org", + "repo_id", + "_document_id", + "programmatic_access_type" ] }, { "action": "protected_branch.update_require_last_push_approval", "description": "Someone other than the person who pushed the last code-modifying commit to the branch must approve pull requests for the branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "require_last_push_approval", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging" }, { @@ -7737,19 +13562,22 @@ "description": "Enforcement of the required number of approvals before merging was updated on a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", + "required_approving_review_count", "repo", - "user", + "request_id", + "repo_id", "created_at", + "actor", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "name", + "org_id", + "action", + "actor_id", + "_document_id", + "org", + "@timestamp", + "programmatic_access_type" ] }, { @@ -7757,19 +13585,25 @@ "description": "Enforcement of required status checks was updated for a branch.", "docs_reference_links": "N/A", "fields": [ + "actor", + "org_id", + "user_agent", "@timestamp", "_document_id", + "name", + "repo", "action", - "actor", - "actor_id", + "business_id", + "repo_id", "business", - "org", - "repo", - "user", - "created_at", + "actor_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_id", + "required_status_checks_enforcement_level", + "org", + "token_scopes", + "programmatic_access_type" ] }, { @@ -7777,19 +13611,22 @@ "description": "Enforcement of required commit signing was updated for a branch.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "name", "@timestamp", + "created_at", "_document_id", + "request_id", + "repo_id", + "org", + "org_id", "action", "actor", "actor_id", - "business", - "org", + "signature_requirement_enforcement_level", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "programmatic_access_type" ] }, { @@ -7797,85 +13634,286 @@ "description": "Enforcement of required status checks was updated for a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "request_id", "actor_id", - "business", + "_document_id", "org", - "repo", - "user", + "@timestamp", "created_at", + "repo_id", + "org_id", + "user_agent", + "name", + "actor", + "repo", "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "strict_required_status_checks_policy", + "programmatic_access_type" ] }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", - "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" - }, - { - "action": "public_key.unverify", - "description": "A user account's SSH key or a repository's deploy key was unverified.", - "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], + "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" + }, + { + "action": "public_key.unverify", + "description": "A user account's SSH key or a repository's deploy key was unverified.", + "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verify", "description": "A user account's SSH key or a repository's deploy key was verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "pull_request.close", "description": "A pull request was closed without being merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request" }, { "action": "pull_request.converted_to_draft", "description": "A pull request was converted to a draft.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft" }, { "action": "pull_request.create", "description": "A pull request was created.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request" }, { "action": "pull_request.create_review_request", "description": "A review was requested on a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { @@ -7883,19 +13921,17 @@ "description": "A pull request was marked as in progress.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "pull_request_id", + "business_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -7903,31 +13939,64 @@ "description": "A pull request was considered merged because the pull request's commits were merged into the target branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "pull_request_id", + "business_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" ] }, { "action": "pull_request.merge", "description": "A pull request was merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request" }, { "action": "pull_request.ready_for_review", "description": "A pull request was marked as ready for review.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review" }, { @@ -7935,25 +14004,52 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "pull_request_id", + "pull_request_url", + "pull_request_title", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "pull_request.remove_review_request", "description": "A review request was removed from a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { @@ -7961,25 +14057,39 @@ "description": "A pull request was reopened after previously being closed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "pull_request_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" ] }, { "action": "pull_request_review_comment.create", "description": "A review comment was added to a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "comment_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { @@ -7987,19 +14097,20 @@ "description": "A review comment on a pull request was deleted.", "docs_reference_links": "N/A", "fields": [ + "user_agent", + "actor", "@timestamp", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", "repo", - "user", "created_at", + "request_id", + "comment_id", + "actor_id", + "repo_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "programmatic_access_type" ] }, { @@ -8007,19 +14118,18 @@ "description": "A review comment on a pull request was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "operation_type", + "user_agent", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "_document_id", + "@timestamp", + "comment_id", + "token_scopes", + "programmatic_access_type" ] }, { @@ -8027,73 +14137,239 @@ "description": "A review on a pull request was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "pull_request_id", + "review_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "pull_request_review.dismiss", "description": "A review on a pull request was dismissed.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review" }, { "action": "pull_request_review.submit", "description": "A review on a pull request was submitted.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { @@ -8101,42 +14377,46 @@ "description": "Pull request merge options were changed for a repository.", "docs_reference_links": "N/A", "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", "@timestamp", "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "action", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "token_scopes", + "programmatic_access_type", + "actor_is_bot" ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { @@ -8144,36 +14424,24 @@ "description": "Autofix for code scanning alerts was disabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -8181,36 +14449,24 @@ "description": "Autofix for code scanning alerts was enabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -8218,36 +14474,24 @@ "description": "Autofix for third party tools for code scanning alerts was disabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -8255,42 +14499,51 @@ "description": "Autofix for third party tools for code scanning alerts was enabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { @@ -8298,36 +14551,19 @@ "description": "Prevention of direct alert dismissal for code scanning was disabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "request_access_security_header", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "repo_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" ] }, { @@ -8335,54 +14571,102 @@ "description": "Prevention of direct alert dismissal for code scanning was enabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "request_access_security_header", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "repo_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" ] }, { "action": "repo.codeql_disabled", "description": "Code scanning using the default setup was disabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_enabled", "description": "Code scanning using the default setup was enabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "query_suite", + "threat_model", + "languages", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_updated", "description": "Code scanning using the default setup was updated for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "query_suite", + "threat_model", + "languages", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { @@ -8390,36 +14674,20 @@ "description": "GitHub Codespaces was granted trusted repository access to this repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "@timestamp", + "created_at", + "_document_id", + "public_repo" ] }, { @@ -8427,72 +14695,136 @@ "description": "GitHub Codespaces trusted repository access to this repository was revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { @@ -8500,54 +14832,108 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", + "oauth_application_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] + }, + { + "action": "repo.create", + "description": "A repository was created.", + "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "fields": [ "repo", + "user_id", + "visibility", + "repo_id", "user", - "created_at", + "request_id", + "actor_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", "oauth_application_id", - "permission", - "visibility", + "org_id", + "request_method", + "business", + "business_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" - ] - }, - { - "action": "repo.create", - "description": "A repository was created.", - "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" }, { "action": "repo.create_actions_secret", "description": "A GitHub Actions secret was created for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -8555,48 +14941,77 @@ "description": "A Codespaces or Dependabot secret was created for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "key", + "visibility", + "integration", "repo", - "user", - "created_at", + "repo_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "@timestamp", + "created_at", + "_document_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "programmatic_access_type", + "request_access_security_header" ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { "action": "repo.download_zip", "description": "A source code archive of a repository was downloaded as a ZIP file.", "docs_reference_links": "/repositories/working-with-files/using-files/downloading-source-code-archives", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/working-with-files/using-files/downloading-source-code-archives" }, { @@ -8604,36 +15019,23 @@ "description": "A GitHub Pages custom domain was modified in a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "@timestamp", + "visibility", "repo", + "repo_id", "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", "created_at", + "_document_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "old_cname", + "programmatic_access_type" ] }, { @@ -8641,36 +15043,21 @@ "description": "A GitHub Pages site was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "actor_id", + "user", "_document_id", + "user_id", + "visibility", "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", "actor", - "actor_id", - "business", - "org", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "programmatic_access_type" ] }, { @@ -8678,36 +15065,21 @@ "description": "A GitHub Pages site was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "created_at", + "user_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "request_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "operation_type", + "repo_id", + "programmatic_access_type" ] }, { @@ -8715,36 +15087,22 @@ "description": "HTTPS redirects were disabled for a GitHub Pages site.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user", + "actor_id", + "repo_id", "_document_id", - "action", + "user_agent", "actor", - "actor_id", - "business", - "org", + "visibility", + "user_id", + "request_id", "repo", - "user", - "created_at", + "@timestamp", "operation_type", + "action", + "created_at", "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -8752,73 +15110,42 @@ "description": "HTTPS redirects were enabled for a GitHub Pages site.", "docs_reference_links": "N/A", "fields": [ + "request_id", "@timestamp", - "_document_id", - "action", + "user_agent", + "user_id", + "created_at", + "visibility", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" ] }, { "action": "repo.pages_private", - "description": "A GitHub Pages site visibility was changed to private.", - "docs_reference_links": "N/A", - "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", + "description": "A GitHub Pages site visibility was changed to private.", + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -8826,36 +15153,22 @@ "description": "A GitHub Pages site visibility was changed to public.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -8863,36 +15176,18 @@ "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", + "visibility", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -8900,36 +15195,22 @@ "description": "A GitHub Pages site that was previously soft-deleted was restored.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "visibility", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -8937,54 +15218,91 @@ "description": "A GitHub Pages source was modified.", "docs_reference_links": "N/A", "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", "@timestamp", + "repo_id", + "user", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", + "request_id", + "visibility", "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "action", + "programmatic_access_type" ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -8992,48 +15310,74 @@ "description": "A Codespaces or Dependabot secret was deleted for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "key", + "integration", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "@timestamp", + "created_at", + "_document_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { @@ -9041,42 +15385,49 @@ "description": "A topic was removed from a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user", "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", "actor", - "actor_id", "business", - "org", + "request_id", "repo", - "user", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { @@ -9084,36 +15435,26 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "old_branch", + "new_branch", + "default_branch", "repo", + "repo_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "@timestamp", + "created_at", + "_document_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "token_scopes", + "programmatic_access_type", + "actor_is_bot" ] }, { @@ -9121,90 +15462,216 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "repo", "action", - "actor", + "_document_id", "actor_id", - "business", - "org", - "repo", "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" ] }, { "action": "repo.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "repo_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { @@ -9214,46 +15681,66 @@ "fields": [ "@timestamp", "_document_id", - "action", - "actor", + "user_agent", "actor_id", - "business", + "created_at", + "actor", + "repo_id", + "action", "org", + "org_id", + "request_id", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "operation_type" ] }, { "action": "repo.temporary_access_granted", "description": "Temporary access was enabled for a repository.", "docs_reference_links": "/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing user-owned repositories in your enterprise" }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { @@ -9261,79 +15748,68 @@ "description": "A repository was transferred to another repository network.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { "action": "repo.transfer_start", "description": "A user sent a request to transfer a repository to another user or organization.", "docs_reference_links": "N/A", - "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", + "fields": [ + "@timestamp", + "_document_id", + "operation_type", + "user_id", + "request_id", + "user", + "action", + "user_agent", + "created_at", + "actor", "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "repo_id", + "actor_id", + "repo", + "request_access_security_header" ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { @@ -9341,42 +15817,51 @@ "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", + "policy", + "old_policy", "repo", - "user", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "business", + "business_id" ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { @@ -9384,42 +15869,52 @@ "description": "A repository administrator changed GitHub Actions policy settings for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "actor_is_bot" ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -9427,36 +15922,23 @@ "description": "The default branch for a repository was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", "repo", + "repo_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "programmatic_access_type", + "actor_is_bot" ] }, { @@ -9464,36 +15946,26 @@ "description": "A Codespaces or Dependabot secret was updated for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "key", + "visibility", + "integration", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "@timestamp", + "created_at", + "_document_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "token_scopes", + "programmatic_access_type", + "request_access_security_header" ] }, { @@ -9501,42 +15973,56 @@ "description": "A user's permission to a repository was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", "action", + "_document_id", "actor", - "actor_id", - "business", - "org", - "repo", - "user", + "repo_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", "oauth_application_id", - "permission", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", "visibility", - "public_repo", - "key", - "name", - "owner", "old_permission", - "new_permission" + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" ] }, { "action": "repository_advisory.close", "description": "Someone closed a security advisory.", "docs_reference_links": "/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories", + "fields": [ + "actor", + "repo", + "@timestamp", + "business", + "business_id", + "user_agent", + "actor_id", + "request_id", + "action", + "operation_type", + "created_at", + "repo_id", + "_document_id", + "org", + "org_id", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories" }, { @@ -9544,19 +16030,19 @@ "description": "Someone requested a CVE (Common Vulnerabilities and Exposures) number from GitHub for a draft security advisory.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "repo_id", + "repo", + "org_id", "actor", - "actor_id", - "business", + "action", + "request_id", "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "user_agent", + "actor_id", + "_document_id", + "created_at" ] }, { @@ -9564,19 +16050,18 @@ "description": "GitHub made a security advisory public in the GitHub Advisory Database.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "public_repo" ] }, { @@ -9584,19 +16069,21 @@ "description": "GitHub withdrew a security advisory that was published in error.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -9604,19 +16091,18 @@ "description": "Someone opened a draft security advisory.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "operation_type", + "user_agent", "actor_id", - "business", - "org", + "actor", "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "repo_id", + "action", + "@timestamp", + "request_id", + "request_access_security_header" ] }, { @@ -9624,19 +16110,21 @@ "description": "Someone published a security advisory.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "user_agent", + "actor_id", "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "repo_id", + "_document_id", "repo", - "user", + "business_id", + "business", + "request_id", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id", + "org" ] }, { @@ -9644,19 +16132,18 @@ "description": "Someone reopened as draft security advisory.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "user_agent", + "repo", + "action", + "created_at", "@timestamp", + "request_id", + "actor_id", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "repo_id", + "public_repo" ] }, { @@ -9664,31 +16151,73 @@ "description": "Someone edited a draft or published security advisory.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", + "repo_id", + "org_id", "business", - "org", - "repo", - "user", + "actor", + "user_agent", "created_at", + "_document_id", + "business_id", + "repo", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "@timestamp", + "request_id" ] }, { "action": "repository_branch_protection_evaluation.disable", "description": "Branch protections were disabled for the repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_branch_protection_evaluation.enable", "description": "Branch protections were enabled for this repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { @@ -9696,19 +16225,26 @@ "description": "Code security was disabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "request_access_security_header", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { @@ -9716,37 +16252,95 @@ "description": "Code security was enabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "request_access_security_header", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { "action": "repository_content_analysis.disable", "description": "Data use settings were disabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "user", + "repo_id", + "request_id", + "actor_id", + "created_at", + "user_agent", + "action", + "operation_type", + "actor", + "repo", + "user_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_content_analysis.enable", "description": "Data use settings were enabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "user", + "org", + "user_id", + "repo_id", + "@timestamp", + "request_id", + "actor", + "action", + "operation_type", + "created_at", + "actor_id", + "repo", + "user_agent", + "org_id", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_dependency_graph.disable", "description": "The dependency graph was disabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-fea tures-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "repo_id", + "operation_type", + "user_id", + "repo", + "_document_id", + "actor", + "user", + "action", + "@timestamp", + "org_id", + "actor_id", + "org", + "created_at", + "user_agent", + "request_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-fea, tures-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { @@ -9754,19 +16348,25 @@ "description": "The dependency graph was enabled for a private repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", + "request_id", + "user", "org", + "org_id", + "action", "repo", - "user", + "user_id", "created_at", + "user_agent", + "actor_id", + "repo_id", "operation_type", + "actor", + "@timestamp", + "_document_id", + "public_repo", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -9774,19 +16374,21 @@ "description": "An image to represent a repository was uploaded.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", "action", + "request_id", "actor", - "actor_id", - "business", - "org", + "content_type", "repo", + "@timestamp", + "_document_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "request_access_security_header" ] }, { @@ -9794,19 +16396,21 @@ "description": "An image to represent a repository was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "repo_id", + "user_agent", "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "@timestamp", + "request_access_security_header" ] }, { @@ -9814,19 +16418,21 @@ "description": "An invitation to join a repository was accepted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "request_id", + "repo", + "invitee", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" ] }, { @@ -9834,19 +16440,20 @@ "description": "An invitation to join a repository was canceled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "inviter", "action", - "actor", - "actor_id", - "business", - "org", + "operation_type", + "_document_id", + "repo_id", "repo", - "user", + "@timestamp", + "user_agent", + "invitee", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "actor", + "actor_id", + "request_access_security_header" ] }, { @@ -9854,19 +16461,21 @@ "description": "An invitation to join a repository was sent.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", "repo", - "user", "created_at", + "user_agent", + "repo_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "programmatic_access_type" ] }, { @@ -9874,25 +16483,40 @@ "description": "An invitation to join a repository was declined.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "repo", "_document_id", - "action", "actor", + "invitee", + "action", + "@timestamp", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "inviter", + "user_agent", + "repo_id" ] }, { "action": "repository_projects_change.clear", "description": "The repository projects policy was removed for an organization, or all organizations in the enterprise Organization owners can now control their repository projects settings.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise", + "fields": [ + "request_id", + "created_at", + "_document_id", + "action", + "user_agent", + "user", + "business_id", + "business", + "operation_type", + "actor", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { @@ -9900,19 +16524,20 @@ "description": "Repository projects were disabled for a repository, all repositories in an organization, or all organizations in an enterprise.", "docs_reference_links": "N/A", "fields": [ + "created_at", "@timestamp", - "_document_id", + "repo", "action", - "actor", + "operation_type", + "_document_id", "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "user_agent", + "repo_id", + "actor", + "request_id", + "programmatic_access_type" ] }, { @@ -9921,90 +16546,363 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", + "repo_id", "org", - "repo", + "request_id", "user", + "user_agent", "created_at", + "org_id", + "action", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "actor_id", + "repo" ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { "action": "repository_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning.disable", "description": "Secret scanning was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "public_repo", + "programmatic_access_type" + ], "docs_reference_titles": "About secret scanning" }, { @@ -10012,19 +16910,22 @@ "description": "Secret scanning was enabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "programmatic_access_type" ] }, { @@ -10032,19 +16933,24 @@ "description": "Generic secrets have been disabled at the repository level", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -10052,67 +16958,225 @@ "description": "Generic secrets have been enabled at the repository level", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { "action": "repository_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.disable", "description": "Secret scanning push protection was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.enable", "description": "Secret scanning push protection was enabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { @@ -10120,19 +17184,28 @@ "description": "A code security configuration was applied to a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -10140,19 +17213,27 @@ "description": "A code security configuration failed to attach to the repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_failure_reason", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -10160,19 +17241,28 @@ "description": "A code security configuration was removed from a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -10180,25 +17270,50 @@ "description": "A code security configuration was removed due to a change in repository or enterprise settings.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "repository_visibility_change.clear", "description": "The repository visibility change setting was cleared for an organization or enterprise.", "docs_reference_links": "/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-changes-to-repository-visibility", + "fields": [ + "created_at", + "_document_id", + "request_id", + "actor_id", + "business", + "action", + "operation_type", + "user", + "user_id", + "business_id", + "@timestamp", + "user_agent", + "actor", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization, Enforcing repository management policies in your enterprise" }, { @@ -10206,19 +17321,20 @@ "description": "The ability for enterprise members to update a repository's visibility was disabled. Members are unable to change repository visibilities in an organization, or all organizations in an enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user", + "org_id", + "created_at", + "user_agent", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "@timestamp", + "user_id", + "action", + "request_id", + "request_access_security_header" ] }, { @@ -10226,37 +17342,102 @@ "description": "The ability for enterprise members to update a repository's visibility was enabled. Members are able to change repository visibilities in an organization, or all organizations in an enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", + "operation_type", + "_document_id", + "@timestamp", + "user_agent", "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "org_id", + "action", + "actor_id", + "user_id", + "request_id" ] }, { "action": "repository_vulnerability_alert.auto_dismiss", "description": "A Dependabot alert was automatically dismissed because its metadata matches an enabled Dependabot rule.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "alert_id", + "alert_number", + "ghsa_id", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "request_access_security_header" + ], "docs_reference_titles": "About Dependabot auto-triage rules" }, { "action": "repository_vulnerability_alert.auto_reopen", "description": "A previously auto-dismissed Dependabot alert was automatically reopened because its metadata no longer matches an enabled Dependabot rule.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "alert_id", + "alert_number", + "ghsa_id", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "request_access_security_header" + ], "docs_reference_titles": "About Dependabot auto-triage rules" }, { "action": "repository_vulnerability_alert.create", "description": "GitHub created a Dependabot alert because the repository uses a vulnerable dependency.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", + "fields": [ + "operation_type", + "request_id", + "repo_id", + "@timestamp", + "user_agent", + "alert_id", + "action", + "repo", + "created_at", + "_document_id", + "token_scopes", + "alert_number", + "programmatic_access_type" + ], "docs_reference_titles": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts" }, { @@ -10264,19 +17445,26 @@ "description": "A Dependabot alert was manually dismissed.", "docs_reference_links": "N/A", "fields": [ + "repo_id", + "org_id", + "user_id", + "request_id", "@timestamp", + "operation_type", + "user_agent", + "alert_id", + "actor", + "repo", + "created_at", + "org", "_document_id", "action", - "actor", "actor_id", - "business", - "org", - "repo", + "dismiss_reason", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "dismiss_comment", + "alert_number", + "actor_is_bot" ] }, { @@ -10284,19 +17472,22 @@ "description": "A Dependabot alert was automatically reopened because the repository resumed use of a vulnerable dependency.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "alert_id", "created_at", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "_document_id", + "@timestamp", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "alert_number" ] }, { @@ -10304,19 +17495,26 @@ "description": "A Dependabot alert was manually reopened.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "alert_id", "created_at", + "action", + "repo", + "repo_id", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "public_repo", + "alert_number", + "request_access_security_header" ] }, { @@ -10324,19 +17522,21 @@ "description": "Changes were pushed to update and resolve a Dependabot alert in a project dependency.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "alert_id", + "repo", + "operation_type", "action", + "repo_id", + "_document_id", + "user_agent", + "request_id", + "@timestamp", + "created_at", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "alert_number", + "programmatic_access_type" ] }, { @@ -10344,25 +17544,44 @@ "description": "A Dependabot alert was withdrawn.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "alert_id", + "alert_number", + "ghsa_id", + "created_at", + "active", "action", - "actor", - "actor_id", - "business", + "repository_id", + "repo", + "repo_id", + "public_repo", + "owner", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id", + "_document_id", + "@timestamp", + "operation_type" ] }, { "action": "repository_vulnerability_alerts.authorized_users_teams", "description": "The list of people or teams authorized to receive Dependabot alerts for the repository was updated.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts", + "fields": [ + "org", + "_document_id", + "repo", + "org_id", + "operation_type", + "created_at", + "actor", + "action", + "@timestamp", + "user_agent", + "repo_id", + "request_id", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts" }, { @@ -10370,19 +17589,24 @@ "description": "Automatic dismissal of low-impact Dependabot alerts was disabled for the repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -10390,19 +17614,26 @@ "description": "Automatic dismissal of low-impact Dependabot alerts was enabled for the repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -10410,19 +17641,23 @@ "description": "Dependabot alerts was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "repo", + "request_id", + "repo_id", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", + "@timestamp", "created_at", + "actor", + "user_agent", + "org_id", + "user", + "org", + "_document_id", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "programmatic_access_type" ] }, { @@ -10430,73 +17665,235 @@ "description": "Dependabot alerts was enabled.", "docs_reference_links": "N/A", "fields": [ + "actor", + "user_agent", + "created_at", "@timestamp", - "_document_id", + "repo_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "repo", + "org", + "org_id", + "actor_id", + "_document_id", + "user_id", "operation_type", + "request_id", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "required_status_check.create", "description": "A status check was marked as required for a protected branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "fields": [ + "org", + "actor_id", + "@timestamp", + "business", + "request_id", + "context", + "repo_id", + "action", + "repo", + "_document_id", + "operation_type", + "business_id", + "org_id", + "actor", + "created_at", + "user_agent", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging" }, { "action": "required_status_check.destroy", "description": "A status check was no longer marked as required for a protected branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "fields": [ + "actor_id", + "actor", + "created_at", + "context", + "operation_type", + "@timestamp", + "request_id", + "org", + "user_agent", + "repo_id", + "org_id", + "action", + "_document_id", + "repo", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging" }, { "action": "restrict_notification_delivery.disable", "description": "Email notification restrictions for an organization or enterprise were disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "restrict_notification_delivery.enable", "description": "Email notification restrictions for an organization or enterprise were enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "role.create", "description": "A new custom repository role was created.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "owner", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "role_permissions", + "old_role_permissions" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "role.destroy", "description": "A custom repository role was deleted.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "role.update", "description": "A custom repository role was edited.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "old_role_permissions", + "old_base_role" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "secret_scanning_alert.create", "description": "GitHub detected a secret and created a secret scanning alert.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning_alert.public_leak", "description": "A secret scanning alert was leaked in a public repo.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "created_at" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { @@ -10504,25 +17901,45 @@ "description": "A secret scanning alert was reopened.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "number", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "secret_type_display_name" ] }, { "action": "secret_scanning_alert.report", "description": "A leaked secret was reported to the secret's provider by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "created_at", + "secret_type_display_name", + "secret_type_provider", + "report_result" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts" }, { @@ -10530,19 +17947,28 @@ "description": "A secret scanning alert was resolved.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "number", + "resolution", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_access_security_header" ] }, { @@ -10550,25 +17976,49 @@ "description": "A secret scanning alert was revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "number", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { "action": "secret_scanning_alert.validate", "description": "A secret scanning alert was validated.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "previous_validity", + "current_validity", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { @@ -10576,31 +18026,85 @@ "description": "A request to close a secret scanning alert was approved by a user.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "request_reviewer_comment", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { "action": "secret_scanning_closure_request.cancel", "description": "N/A", "docs_reference_links": "A reqeust to close a secret scanning alert was canceled by a user.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "A, reqeust, to, close, a, secret, scanning, alert, was, canceled, by, a, user." }, { "action": "secret_scanning_closure_request.create", "description": "N/A", "docs_reference_links": "A user requested to close a secret scanning alert.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "reason", + "comment", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "A, user, requested, to, close, a, secret, scanning, alert." }, { @@ -10608,85 +18112,302 @@ "description": "A request to close a secret scanning alert was denied by a user.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "request_reviewer_comment", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { "action": "secret_scanning.disable", "description": "Secret scanning was disabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning.enable", "description": "Secret scanning was enabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.disable", "description": "Secret scanning was disabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.enable", "description": "Secret scanning was enabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_push_protection.bypass", "description": "Triggered when a user bypasses the push protection on a secret detected by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#bypassing-push-protection-for-a-secret", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "push_protection_bypass_reason", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_reviewer", + "request_reviewer_id" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.approve", "description": "A request to bypass secret scanning push protection was approved by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.cancel", "description": "A user canceled a request to bypass secret scanning push protection.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "secret_scanning_push_protection_request.complete", "description": "A user pushed a commit containing a secret for which there is an approved secret scanning push protection bypass request.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "secret_scanning_push_protection_request.deny", "description": "A request to bypass secret scanning push protection was denied by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header", + "request_reviewer_comment" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.request", "description": "A user requested to bypass secret scanning push protection.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "secret_scanning_scan.completed", "description": "A secret scanning scan has completed on this repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "repo_id", + "org_id", + "business_id", + "source", + "type", + "source_slug", + "type_slug", + "started_at", + "completed_at", + "repo", + "public_repo", + "org", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "secret_types", + "custom_pattern_name", + "custom_pattern_scope" + ], "docs_reference_titles": "About secret scanning" }, { @@ -10694,19 +18415,42 @@ "description": "A security configuration was created", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" ] }, { @@ -10714,19 +18458,23 @@ "description": "A default security configuration setting for new repositories was removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { @@ -10734,19 +18482,23 @@ "description": "A default security configuration setting for new repositories was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { @@ -10754,19 +18506,41 @@ "description": "A security configuration was deleted", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" ] }, { @@ -10774,19 +18548,17 @@ "description": "A security configuration policy was updated", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "enforcement", + "security_configuration_name", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -10794,19 +18566,42 @@ "description": "A security configuration was updated", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" ] }, { @@ -10814,25 +18609,38 @@ "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { @@ -10840,67 +18648,166 @@ "description": "The fiscal host for a GitHub Sponsors listing was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { @@ -10908,25 +18815,36 @@ "description": "A GitHub Sponsors account was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "sponsors_listing_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { @@ -10935,42 +18853,96 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", - "_document_id", + "created_at", + "request_id", + "user", "action", + "user_agent", + "operation_type", + "_document_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id" ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { @@ -10978,19 +18950,20 @@ "description": "A GitHub Sponsors tier changed access for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -10998,19 +18971,18 @@ "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -11018,43 +18990,104 @@ "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "ssh_certificate_authority.create", "description": "An SSH certificate authority for an organization or enterprise was created.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "@timestamp", + "_document_id", + "fingerprint", + "operation_type", + "openssh_public_key", + "org_id", + "actor", + "created_at", + "org", + "action", + "user_agent", + "actor_id", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_authority.destroy", "description": "An SSH certificate authority for an organization or enterprise was deleted.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "created_at", + "_document_id", + "fingerprint", + "operation_type", + "actor", + "org_id", + "openssh_public_key", + "org", + "action", + "user_agent", + "actor_id", + "@timestamp", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.disable", "description": "The requirement for members to use SSH certificates to access an organization resources was disabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "user", + "user_agent", + "operation_type", + "_document_id", + "request_id", + "org", + "org_id", + "created_at", + "actor", + "action", + "user_id", + "business", + "business_id", + "@timestamp", + "actor_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.enable", "description": "The requirement for members to use SSH certificates to access an organization resources was enabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "actor_id", + "user_id", + "org", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user", + "action", + "org_id", + "created_at", + "user_agent" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { @@ -11062,19 +19095,17 @@ "description": "Automatic redirects for users to single sign-on (SSO) was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -11082,19 +19113,17 @@ "description": "Automatic redirects for users to single sign-on (SSO) was enabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -11102,19 +19131,20 @@ "description": "The verification code expiry time for an organization or enterprise domain was set.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "owner_type", + "domain_name", + "business_id", + "token_expires_at", + "owner", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -11122,19 +19152,18 @@ "description": "An organization or enterprise domain was unverified.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "owner_type", + "domain_name", + "owner", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { @@ -11142,25 +19171,39 @@ "description": "An organization or enterprise domain was verified.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "domain_name", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "team.add_member", "description": "A member of an organization was added to a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team", + "fields": [ + "user_agent", + "request_id", + "org_id", + "user_id", + "team", + "user", + "@timestamp", + "actor_id", + "created_at", + "operation_type", + "_document_id", + "org", + "action", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team" }, { @@ -11168,31 +19211,65 @@ "description": "A team was given access and permissions to a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", + "team", + "action", + "operation_type", + "request_id", + "created_at", + "@timestamp", "org", "repo", - "user", - "created_at", - "operation_type", + "actor_id", + "_document_id", + "repo_id", + "user_agent", + "org_id", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "team.change_parent_team", "description": "A child team was created or a child team's parent was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy", + "fields": [ + "org", + "@timestamp", + "created_at", + "_document_id", + "team", + "action", + "operation_type", + "actor", + "request_id", + "actor_id", + "user_agent", + "org_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy" }, { "action": "team.change_privacy", "description": "A team's privacy level was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/changing-team-visibility", + "fields": [ + "user_agent", + "request_id", + "org", + "action", + "team", + "created_at", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "actor", + "_document_id" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility" }, { @@ -11200,25 +19277,44 @@ "description": "A new team is created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "request_id", "actor_id", - "business", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "org_id", + "user_agent", + "team", "org", - "repo", - "user", + "actor", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "token_scopes", + "programmatic_access_type" ] }, { "action": "team.demote_maintainer", "description": "A user was demoted from a team maintainer to a team member.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member" }, { @@ -11226,19 +19322,19 @@ "description": "A team was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "org", + "team", + "org_id", + "actor_id", + "actor", + "action", + "@timestamp", + "user_agent", + "request_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "programmatic_access_type" ] }, { @@ -11246,25 +19342,40 @@ "description": "An organization owner cleared the setting to allow team discussions for an organization or enterprise.", "docs_reference_links": "N/A", "fields": [ + "business_id", + "operation_type", "@timestamp", - "_document_id", - "action", + "user_agent", "actor", "actor_id", - "business", - "org", - "repo", "user", + "business", + "action", + "request_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "_document_id" ] }, { "action": "team_discussions.disable", "description": "Team discussions were disabled for an organization.", "docs_reference_links": "/organizations/organizing-members-into-teams/disabling-team-discussions-for-your-organization", + "fields": [ + "org_id", + "action", + "operation_type", + "request_id", + "actor", + "org", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "_document_id" + ], "docs_reference_titles": "Organizations and teams documentation" }, { @@ -11272,31 +19383,67 @@ "description": "Team discussions were enabled for an organization.", "docs_reference_links": "N/A", "fields": [ + "actor_id", "@timestamp", - "_document_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "_document_id", + "user_agent", + "user_id", + "business_id", + "request_id", "user", - "created_at", + "business", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "created_at" ] }, { "action": "team.promote_maintainer", "description": "A user was promoted from a team member to a team maintainer.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer" }, { "action": "team.remove_member", "description": "An organization member was removed from a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team", + "fields": [ + "request_id", + "operation_type", + "created_at", + "actor_id", + "org", + "org_id", + "team", + "user_id", + "actor", + "user", + "action", + "@timestamp", + "user_agent", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team" }, { @@ -11304,19 +19451,21 @@ "description": "A repository was removed from a team's control.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "request_id", + "org_id", + "repo", + "repo_id", "action", + "_document_id", "actor", + "@timestamp", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", "created_at", + "team", + "org", "operation_type", - "programmatic_access_type", - "token_scopes" + "programmatic_access_type" ] }, { @@ -11324,31 +19473,61 @@ "description": "A team's name was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", + "name", + "user_agent", "created_at", + "team", "operation_type", + "actor_id", + "org", + "action", + "request_id", + "actor", + "org_id", + "@timestamp", + "_document_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "team_sync_tenant.disabled", "description": "Team synchronization with a tenant was disabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "action", + "created_at", + "actor", + "request_id", + "org_id", + "actor_id", + "operation_type", + "_document_id", + "@timestamp", + "org", + "user_agent" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team_sync_tenant.enabled", "description": "Team synchronization with a tenant was enabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "org_id", + "business_id", + "actor", + "created_at", + "user_agent", + "@timestamp", + "operation_type", + "business", + "actor_id", + "org", + "request_id", + "action", + "_document_id" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { @@ -11356,19 +19535,19 @@ "description": "The Okta credentials for team synchronization with a tenant were changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" ] }, { @@ -11376,19 +19555,28 @@ "description": "A team's permission to a repository was changed.", "docs_reference_links": "N/A", "fields": [ + "actor_id", + "team", + "org_id", "@timestamp", + "org", "_document_id", + "old_permission", + "request_id", + "repo", "action", + "repo_id", "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "user_agent", + "permission", + "new_repo_permission", + "new_repo_base_role", + "old_repo_permission", + "old_repo_base_role", + "token_scopes", + "programmatic_access_type" ] }, { @@ -11396,25 +19584,44 @@ "description": "An enterprise managed user claimed an email address.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "user_email.mark_as_unclaimed", "description": "N/A", "docs_reference_links": "An enterprise managed user unclaimed an email address.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "An, GitHub Help Documentation, managed, user, unclaimed, an, email, address." }, { @@ -11422,19 +19629,18 @@ "description": "A Dependabot rule was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -11442,19 +19648,18 @@ "description": "A Dependabot rule was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -11462,19 +19667,20 @@ "description": "A Dependabot rule was disabled for a single repository or disabled by default for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", "repo", - "user", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -11482,19 +19688,21 @@ "description": "A Dependabot rule was enabled for a single repository or enabled by default for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", "repo", - "user", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -11502,19 +19710,21 @@ "description": "A Dependabot rule was enabled for an organization and cannot be disabled for its repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", "org", - "repo", - "user", + "org_id", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -11522,19 +19732,21 @@ "description": "A Dependabot rule was disabled for an organization and cannot be enabled for its repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", "org", - "repo", - "user", + "org_id", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -11542,25 +19754,47 @@ "description": "A Dependabot rule's conditions, actions, or metadata changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { @@ -11568,25 +19802,59 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "workflows.cancel_workflow_run", "description": "A workflow run was cancelled.", "docs_reference_links": "/actions/managing-workflow-runs/canceling-a-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "cancelled_at", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Canceling a workflow" }, { @@ -11594,37 +19862,122 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", + "workflow_run_id", + "run_number", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "workflows.completed_workflow_run", "description": "A workflow status changed to completed. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "completed_at", + "conclusion", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Viewing workflow run history" }, { "action": "workflows.created_workflow_run", "description": "A workflow run was create. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/learn-github-actions/understanding-github-actions#create-an-example-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Understanding GitHub Actions" }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { @@ -11632,19 +19985,22 @@ "description": "A workflow was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "workflow_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -11652,19 +20008,21 @@ "description": "A workflow was enabled, after previously being disabled by disable_workflow.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "workflow_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -11672,37 +20030,118 @@ "description": "A workflow was pinned.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { "action": "workflows.prepared_workflow_job", "description": "A workflow job was started. Includes the list of secrets that were provided to the job. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/using-workflows/events-that-trigger-workflows", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "business_id", + "business", + "workflow_run_id", + "job_name", + "runner_labels", + "is_hosted_runner", + "environment_name", + "secrets_passed", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp", + "runner_owner_type", + "job_workflow_ref", + "calling_workflow_refs", + "calling_workflow_shas", + "imposer_repo" + ], "docs_reference_titles": "Events that trigger workflows" }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.rerun_workflow_run", "description": "A workflow run was re-run.", "docs_reference_links": "/actions/managing-workflow-runs/re-running-workflows-and-jobs", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "rerun_type", + "check_run_id", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Re-running workflows and jobs" }, { @@ -11710,19 +20149,25 @@ "description": "A workflow was unpinned after previously being pinned.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/ghec/organization.json b/src/audit-logs/data/ghec/organization.json index ad90f40a07aa..6c79c0bd521d 100644 --- a/src/audit-logs/data/ghec/organization.json +++ b/src/audit-logs/data/ghec/organization.json @@ -4,25 +4,37 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "org", "@timestamp", + "operation_type", + "user_agent", "_document_id", + "created_at", "action", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id" ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { @@ -30,25 +42,52 @@ "description": "A GitHub Actions cache was deleted using the REST API.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "oauth_application_id", + "user_id", "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "advisory_credit.accept", "description": "Credit was accepted for a security advisory.", "docs_reference_links": "/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory" }, { @@ -56,19 +95,21 @@ "description": "Someone was added to the credit section of a security advisory.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "ghsa_id", "repo", - "user", - "created_at", + "repo_id", + "recipient", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -76,19 +117,22 @@ "description": "Credit was declined for a security advisory.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "ghsa_id", "repo", - "user", - "created_at", + "repo_id", + "recipient", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "public_repo" ] }, { @@ -96,19 +140,22 @@ "description": "Someone was removed from the credit section of a security advisory.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "ghsa_id", "repo", - "user", - "created_at", + "repo_id", + "recipient", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "public_repo" ] }, { @@ -116,43 +163,101 @@ "description": "A workflow run artifact was manually deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", "actor", + "user_agent", "actor_id", - "business", - "org", "repo", - "user", + "repo_id", + "request_id", + "@timestamp", "created_at", + "_document_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "programmatic_access_type" ] }, { "action": "auto_approve_personal_access_token_requests.disable", "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources. See also: personal_access_token.auto_approve_grant_requests_disabled", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization" }, { "action": "auto_approve_personal_access_token_requests.enable", "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval. See also: personal_access_token.auto_approve_grant_requests_enabled", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization" }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { @@ -160,19 +265,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "oauth_application_id", "@timestamp", + "actor_id", + "operation_type", "_document_id", - "action", + "request_id", "actor", - "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "user_agent", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action" ] }, { @@ -180,31 +284,63 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" ] }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { @@ -213,78 +349,210 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" ] }, { "action": "code_scanning.alert_appeared_in_branch", "description": "Existing code scanning alerts appeared in a branch.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_became_fixed", "description": "Code scanning alerts were fixed.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_became_outdated", "description": "Code scanning alerts were closed as outdated (all configurations they were detected in were deleted).", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_numbers", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_by_user", "description": "Code scanning alerts were manually dismissed.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "actor_id", + "request_id", + "actor", + "org_id", + "org", + "business_id", + "business", + "alert_numbers", + "dismissal_approver_id" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_approved", "description": "Dismissal of code scanning alerts was approved.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_denied", "description": "Dismissal of code scanning alerts was denied.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_requested", "description": "Dismissal of code scanning alerts was requested.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_created", "description": "Code scanning alerts were seen for the first time.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_reappeared", "description": "Code scanning alerts that were previously fixed reappeared.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_reopened_by_user", "description": "Code scanning alerts that were previously dismissed were reopened.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "actor_id", + "request_id", + "actor", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { @@ -292,19 +560,16 @@ "description": "A codespace using custom permissions from its devcontainer.json file was launched.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "origin_repository", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -312,25 +577,49 @@ "description": "An attempt to create a codespace from a prebuild was made.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "owner", + "pull_request_id", + "repository", + "repository_id", + "user_id", "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", + "public_repo", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "codespaces.business_enablement_updated", "description": "Enterprise setting for Codespaces ownership was updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enablement", + "organization_names", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization" }, { @@ -338,31 +627,79 @@ "description": "Credentials for a codespace were refreshed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "machine_type", + "devcontainer_path" ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { @@ -370,19 +707,18 @@ "description": "A codespace was exported to a branch on GitHub.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "public_repo" ] }, { @@ -390,19 +726,17 @@ "description": "Policies were applied to codespaces in an organization or enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -410,19 +744,20 @@ "description": "Policies were removed from codespaces in an organization or enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -430,19 +765,19 @@ "description": "Policies were updated for codespaces in an organization or enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -450,19 +785,19 @@ "description": "A codespace was restored.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "owner", "repo", - "user", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -470,19 +805,27 @@ "description": "A codespace was started.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "name", "org", - "repo", + "owner", + "pull_request_id", + "machine_type", + "user_id", "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -490,25 +833,39 @@ "description": "A codespace was stopped.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "owner", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { @@ -516,19 +873,20 @@ "description": "A commit comment was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", "repo", - "user", + "org", + "org_id", "created_at", + "@timestamp", "operation_type", - "programmatic_access_type", - "token_scopes" + "repo_id", + "actor_id", + "request_id", + "_document_id", + "user_agent", + "action", + "programmatic_access_type" ] }, { @@ -536,19 +894,21 @@ "description": "A commit comment was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", - "action", + "repo_id", "actor", - "actor_id", - "business", "org", + "request_id", + "action", + "@timestamp", "repo", - "user", + "org_id", + "actor_id", "created_at", + "user_agent", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "programmatic_access_type" ] }, { @@ -556,19 +916,21 @@ "description": "Copilot access was revoked for the organization or enterprise due to its Copilot subscription ending, an issue with billing the entity, the entity being marked spammy, or the entity being suspended.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "reason", + "plan", + "org_id", + "owner", "org", - "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -576,19 +938,15 @@ "description": "Copilot feature settings were changed at the organization level.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -596,25 +954,41 @@ "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { @@ -622,19 +996,24 @@ "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", + "token_id", + "token_scopes", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -642,19 +1021,17 @@ "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -662,19 +1039,20 @@ "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -682,19 +1060,19 @@ "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "seat_assignment", + "request_access_security_header" ] }, { @@ -702,19 +1080,21 @@ "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "user_id", "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -722,19 +1102,21 @@ "description": "The seat management setting was changed at the organization level to either enable or disable Copilot access for all members of the organization, or to enable Copilot access for selected members or teams.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "old_value", + "new_value", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -742,19 +1124,21 @@ "description": "The excluded paths for GitHub Copilot were updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "excluded_paths", + "owner_type", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -762,19 +1146,17 @@ "description": "Copilot custom instructions were created for the organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "request_access_security_header", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "custom_instructions" ] }, { @@ -782,43 +1164,111 @@ "description": "Copilot custom instructions were updated for the organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "request_access_security_header", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "custom_instructions" ] }, { "action": "copilot.knowledge_base_created", "description": "A knowledge base was created in the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.knowledge_base_deleted", "description": "A knowledge base was deleted from the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.knowledge_base_updated", "description": "A knowledge base was updated in the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.plan_changed", "description": "The plan for GitHub Copilot was updated.", "docs_reference_links": "/billing/managing-billing-for-github-copilot/about-billing-for-github-copilot", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_plan", + "plan", + "business_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "About billing for GitHub Copilot" }, { @@ -826,19 +1276,23 @@ "description": "The plan for GitHub Copilot was scheduled to be downgraded.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "org_id", + "owner", "org", - "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "current_plan", + "scheduled_plan" ] }, { @@ -846,19 +1300,22 @@ "description": "Specific repositories were disabled from using Copilot coding agent.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "org_id", + "owner_type", "actor_id", - "business", - "org", + "owner", "repo", - "user", + "repo_id", + "public_repo", + "org", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -866,19 +1323,23 @@ "description": "Specific repositories were enabled to use Copilot coding agent.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "request_access_security_header", + "org_id", + "owner_type", + "owner", "repo", - "user", + "repo_id", + "public_repo", + "org", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -886,19 +1347,22 @@ "description": "Copilot coding agent access was updated for the organization's or user's repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", + "new_access", + "old_access", + "org_id", + "owner_type", + "owner", "org", - "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -906,19 +1370,23 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "runner_group_id", "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -926,19 +1394,21 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -946,79 +1416,257 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "runner_group_id", "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "custom_property_definition.create", "description": "A new custom property definition was created.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.destroy", "description": "A custom property definition was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id", + "allowed_values" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.update", "description": "A custom property definition was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", - "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" - }, - { - "action": "custom_property_value.create", - "description": "A repository's custom property value was manually set for the first time.", - "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "value_type", + "required", + "default_value", + "old_allowed_values", + "allowed_values", + "definition_id", + "old_required", + "old_default_value", + "old_value_type", + "old_values_editable_by", + "values_editable_by", + "request_access_security_header" + ], + "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" + }, + { + "action": "custom_property_value.create", + "description": "A repository's custom property value was manually set for the first time.", + "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "definition_id", + "property_name", + "value", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.destroy", "description": "A repository's custom property value was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.update", "description": "A repository's custom property value was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { @@ -1026,19 +1674,22 @@ "description": "The default repository access for Dependabot was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", "org", - "repo", - "user", + "org_id", + "access_level", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { @@ -1046,25 +1697,38 @@ "description": "The repositories that Dependabot can access were updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -1072,25 +1736,40 @@ "description": "Dependabot security updates were enabled for all existing repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -1098,25 +1777,40 @@ "description": "Dependabot security updates were enabled for all new repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -1124,25 +1818,40 @@ "description": "The dependency graph was enabled for all existing repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -1150,19 +1859,20 @@ "description": "The dependency graph was enabled for all new repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "request_access_security_header" ] }, { @@ -1170,19 +1880,21 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "repo", + "org", + "repo_id", + "request_id", "action", "actor", + "org_id", + "_document_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", + "@timestamp", + "created_at", + "user_agent", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -1190,19 +1902,20 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "repo_id", "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", - "created_at", + "_document_id", + "actor_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "repo", + "org_id", + "action", + "request_access_security_header" ] }, { @@ -1210,79 +1923,237 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "repo_id", + "user_agent", "actor_id", - "business", + "org_id", + "actor", "org", - "repo", - "user", - "created_at", + "action", "operation_type", + "@timestamp", + "request_id", + "title", + "_document_id", + "created_at", + "repo", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "discussion_post.destroy", "description": "Triggered when a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "request_id", + "team", + "created_at", + "user_id", + "@timestamp", + "number", + "org", + "title", + "actor", + "actor_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.destroy", "description": "Triggered when a reply to a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "actor_id", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user_id", + "actor", + "number", + "user", + "created_at", + "request_id", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.update", "description": "Triggered when a reply to a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", - "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" - }, - { - "action": "discussion_post.update", + "fields": [ + "action", + "_document_id", + "request_id", + "org", + "@timestamp", + "actor_id", + "operation_type", + "user", + "user_id", + "org_id", + "user_agent", + "actor", + "number", + "team", + "created_at" + ], + "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" + }, + { + "action": "discussion_post.update", "description": "Triggered when a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "created_at", + "_document_id", + "title", + "user", + "user_agent", + "org", + "operation_type", + "actor_id", + "@timestamp", + "actor", + "team", + "action", + "org_id", + "request_id", + "user_id", + "number" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "enterprise_announcement.create", "description": "A global announcement banner was created for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global-announcement-banner", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.destroy", "description": "A global announcement banner was removed from the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.update", "description": "A global announcement banner was updated for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "old_message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_installation.create", "description": "The GitHub App associated with a GitHub Connect connection was created.", "docs_reference_links": "/admin/configuration/configuring-github-connect/managing-github-connect", + "fields": [ + "created_at", + "operation_type", + "@timestamp", + "_document_id", + "org_id", + "action", + "request_id", + "org", + "actor_id", + "user_agent", + "actor" + ], "docs_reference_titles": "Enabling GitHub Connect for GitHub.com" }, { "action": "enterprise_installation.destroy", "description": "The GitHub App associated with a GitHub Connect connection was deleted.", "docs_reference_links": "/admin/configuration/configuring-github-connect/managing-github-connect", + "fields": [ + "created_at", + "_document_id", + "action", + "@timestamp", + "actor_id", + "actor", + "user_agent", + "org", + "operation_type", + "request_id", + "org_id" + ], "docs_reference_titles": "Enabling GitHub Connect for GitHub.com" }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { @@ -1290,73 +2161,259 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "environment_name", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.delete", "description": "An environment was deleted.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_secret", "description": "A secret was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { @@ -1364,36 +2421,20 @@ "description": "A repository was cloned.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", "actor", "actor_id", - "business", "org", - "repo", + "org_id", + "business", + "business_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "user_id", + "transport_protocol_name" ] }, { @@ -1401,73 +2442,42 @@ "description": "Changes were fetched from a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", "actor", "actor_id", + "org", + "org_id", "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] + }, + { + "action": "git.push", + "description": "Changes were pushed to a repository.", + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", "org", - "repo", + "org_id", + "business", + "business_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" - ] - }, - { - "action": "git.push", - "description": "Changes were pushed to a repository.", - "docs_reference_links": "N/A", - "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "user_id", + "transport_protocol_name" ] }, { @@ -1475,19 +2485,23 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -1495,19 +2509,21 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -1515,19 +2531,22 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -1535,19 +2554,25 @@ "description": "A hook's active status was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "programmatic_access_type" ] }, { @@ -1555,25 +2580,53 @@ "description": "A hook's configuration was changed.", "docs_reference_links": "N/A", "fields": [ + "actor_id", + "operation_type", "@timestamp", "_document_id", - "action", "actor", - "actor_id", - "business", + "name", "org", + "user_agent", + "request_id", + "hook_id", "repo", - "user", + "repo_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { @@ -1581,19 +2634,25 @@ "description": "A hook was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "events", "repo", - "user", "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" ] }, { @@ -1601,19 +2660,26 @@ "description": "A hook's configured events were changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "events", "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" ] }, { @@ -1621,19 +2687,22 @@ "description": "A GitHub App was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user", "action", + "operation_type", + "@timestamp", "actor", + "user_agent", "actor_id", - "business", - "org", - "repo", - "user", + "request_id", + "name", + "user_id", + "_document_id", + "integration", "created_at", - "operation_type", "programmatic_access_type", - "token_scopes" + "request_access_security_header", + "application_client_id" ] }, { @@ -1641,19 +2710,19 @@ "description": "A GitHub App was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "user_id", "actor_id", - "business", - "org", - "repo", + "request_id", + "@timestamp", + "name", + "integration", "user", - "created_at", + "_document_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "user_agent" ] }, { @@ -1661,85 +2730,282 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", + "name", + "integration", "business", - "org", - "repo", - "user", - "created_at", + "business_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header", + "application_client_id" ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation_request.close", "description": "A request to install a GitHub App was either approved or denied by an owner, or canceled by the member who opened the request.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "url", + "actor", + "actor_id", + "created_at", + "request_id", + "operation_type", + "@timestamp", + "integration", + "action", + "user_agent", + "reason", + "_document_id", + "org", + "org_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation_request.create", "description": "A member requested that an owner install a GitHub App.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "@timestamp", + "actor_id", + "org", + "_document_id", + "requester", + "action", + "user_agent", + "created_at", + "url", + "org_id", + "request_id", + "operation_type", + "actor", + "integration", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { @@ -1747,19 +3013,20 @@ "description": "A client secret for a GitHub App was removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "integration", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" ] }, { @@ -1767,19 +3034,20 @@ "description": "All user tokens for a GitHub App were requested to be revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "integration", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "application_client_id" ] }, { @@ -1787,37 +3055,93 @@ "description": "Token(s) for a GitHub App were revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "integration", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "application_client_id" ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" }, { "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { @@ -1825,19 +3149,19 @@ "description": "An IP allow list was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "operation_type", "actor", - "actor_id", - "business", + "request_id", "org", - "repo", - "user", + "user_agent", + "_document_id", + "user_id", + "actor_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id", + "action", + "@timestamp", + "user" ] }, { @@ -1845,19 +3169,19 @@ "description": "An IP allow list was disabled for installed GitHub Apps.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "business", + "business_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { @@ -1865,19 +3189,21 @@ "description": "An IP allow list was enabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "org_id", + "business", + "user_id", + "request_id", + "actor", + "user", + "business_id", "_document_id", "action", - "actor", + "@timestamp", + "user_agent", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "created_at" ] }, { @@ -1885,19 +3211,19 @@ "description": "An IP allow list was enabled for installed GitHub Apps.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "business", + "business_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { @@ -1905,19 +3231,24 @@ "description": "An IP address was added to an IP allow list.", "docs_reference_links": "N/A", "fields": [ + "active", + "org", + "ip_allow_list_entry", "@timestamp", "_document_id", + "operation_type", + "created_at", + "user_agent", "action", - "actor", + "request_id", "actor_id", + "business_id", + "org_id", "business", - "org", - "repo", - "user", - "created_at", - "operation_type", + "actor", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -1925,19 +3256,24 @@ "description": "An IP address was deleted from an IP allow list.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", + "request_id", + "ip_allow_list_entry", + "org", + "operation_type", + "created_at", + "active", "action", + "@timestamp", + "business", + "business_id", + "user_agent", + "org_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -1945,19 +3281,19 @@ "description": "An IP address or its description was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "request_id", "_document_id", - "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "user_agent", + "actor_id", + "ip_allow_list_entry", + "active", + "org_id", + "@timestamp" ] }, { @@ -1965,19 +3301,22 @@ "description": "A comment on an issue was deleted from the repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", + "org_id", "org", "repo", - "user", + "actor_id", + "@timestamp", "created_at", + "_document_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "repo_id", + "actor", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" ] }, { @@ -1985,37 +3324,94 @@ "description": "A comment on an issue (other than the initial one) changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", "repo", - "user", + "org", + "action", + "repo_id", + "org_id", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "user_agent", + "request_id", + "_document_id", + "actor_id", + "actor", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" ] }, { "action": "issue.destroy", "description": "An issue was deleted from the repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/deleting-an-issue", - "docs_reference_titles": "Deleting an issue" - }, + "fields": [ + "user", + "actor_id", + "created_at", + "title", + "@timestamp", + "_document_id", + "request_id", + "actor", + "user_id", + "action", + "operation_type", + "user_agent", + "repo", + "token_scopes", + "programmatic_access_type" + ], + "docs_reference_titles": "Deleting an issue" + }, { "action": "issue.pinned", "description": "An issue was pinned to a repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository", + "fields": [ + "_document_id", + "user_agent", + "actor_id", + "created_at", + "action", + "actor", + "operation_type", + "owner_type", + "@timestamp", + "repo_id", + "request_id", + "number", + "repo", + "event", + "user", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "Pinning an issue to your repository" }, { "action": "issue.transfer", "description": "An issue was transferred to another repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/transferring-an-issue-to-another-repository", + "fields": [ + "user", + "user_id", + "@timestamp", + "user_agent", + "owner_type", + "actor_id", + "number", + "repo", + "operation_type", + "_document_id", + "repo_id", + "action", + "request_id", + "created_at", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "Transferring an issue to another repository" }, { @@ -2023,19 +3419,23 @@ "description": "An issue type was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", + "issue_type_name", + "description", + "color", + "enabled", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -2043,19 +3443,23 @@ "description": "An issue type was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", + "issue_type_name", + "description", + "color", + "enabled", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -2063,43 +3467,116 @@ "description": "An issue type was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", + "issue_type_name", + "description", + "color", + "enabled", + "old_issue_type_name", + "old_description", + "old_color", + "old_enabled", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "issue.unpinned", "description": "An issue was unpinned from a repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository", + "fields": [ + "event", + "user_agent", + "actor_id", + "repo_id", + "actor", + "action", + "created_at", + "request_id", + "repo", + "operation_type", + "_document_id", + "number", + "owner_type", + "@timestamp", + "user", + "user_id", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Pinning an issue to your repository" }, { "action": "issues.deletes_disabled", "description": "The ability for enterprise members to delete issues was disabled Members cannot delete issues in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "user_agent", + "action", + "@timestamp", + "operation_type", + "request_id", + "actor_id", + "user_id", + "created_at", + "_document_id", + "actor", + "user", + "org", + "org_id" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "issues.deletes_enabled", "description": "The ability for enterprise members to delete issues was enabled Members can delete issues in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "operation_type" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "issues.deletes_policy_cleared", "description": "An enterprise owner cleared the policy setting for allowing members to delete issues in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "user", + "request_id", + "actor", + "business_id", + "action", + "operation_type", + "user_agent", + "created_at", + "@timestamp", + "_document_id", + "business", + "user_id", + "actor_id" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { @@ -2107,19 +3584,18 @@ "description": "The GitHub Marketplace Developer Agreement was signed.", "docs_reference_links": "N/A", "fields": [ + "request_id", + "actor", + "actor_id", "@timestamp", "_document_id", + "user_agent", + "operation_type", + "created_at", "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "request_access_security_header" ] }, { @@ -2127,19 +3603,21 @@ "description": "A listing was approved for inclusion in GitHub Marketplace.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "secondary_category", "actor", - "actor_id", - "business", - "org", - "repo", + "primary_category", "user", - "created_at", + "@timestamp", + "_document_id", + "user_id", + "user_agent", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" ] }, { @@ -2147,19 +3625,21 @@ "description": "A category for a listing for an app in GitHub Marketplace was changed.", "docs_reference_links": "N/A", "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", "@timestamp", - "_document_id", + "integration", + "org_id", "action", - "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "secondary_category", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "actor_id", + "_document_id" ] }, { @@ -2167,19 +3647,22 @@ "description": "A listing for an app in GitHub Marketplace was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "primary_category", "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp" ] }, { @@ -2187,19 +3670,21 @@ "description": "A listing was removed from GitHub Marketplace.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "org", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "org_id", "created_at", + "secondary_category", "operation_type", - "programmatic_access_type", - "token_scopes" + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" ] }, { @@ -2207,19 +3692,22 @@ "description": "A listing was sent back to draft state.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" ] }, { @@ -2227,73 +3715,225 @@ "description": "A listing was not accepted for inclusion in GitHub Marketplace.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "members_can_create_pages.disable", "description": "The ability for members to publish GitHub Pages sites was disabled.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_pages.enable", "description": "The ability for members to publish GitHub Pages sites was enabled.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_private_pages.disable", "description": "The ability for members to publish private GitHub Pages was disabled Members cannot publish private GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_private_pages.enable", "description": "The ability for members to publish private GitHub Pages was enabled Members can publish private GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_public_pages.disable", "description": "The ability for members to publish public GitHub Pages was disabled Members cannot publish public GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_public_pages.enable", "description": "The ability for members to publish public GitHub Pages was enabled Members can publish public GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", - "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" - }, - { - "action": "members_can_delete_repos.clear", - "description": "An enterprise owner cleared the policy setting for deleting or transferring repositories in any organizations in an enterprise.", - "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", - "docs_reference_titles": "Enforcing repository management policies in your enterprise" - }, + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], + "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" + }, + { + "action": "members_can_delete_repos.clear", + "description": "An enterprise owner cleared the policy setting for deleting or transferring repositories in any organizations in an enterprise.", + "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "_document_id", + "request_id", + "user", + "user_id", + "business", + "operation_type", + "user_agent", + "actor", + "actor_id", + "business_id", + "@timestamp", + "created_at", + "action" + ], + "docs_reference_titles": "Enforcing repository management policies in your enterprise" + }, { "action": "members_can_delete_repos.disable", "description": "The ability for enterprise members to delete repositories was disabled Members cannot delete or transfer repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "request_id", + "org", + "_document_id", + "actor_id", + "user", + "user_id", + "user_agent", + "actor", + "operation_type", + "org_id", + "action", + "@timestamp", + "created_at" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_delete_repos.enable", "description": "The ability for enterprise members to delete repositories was enabled Members can delete or transfer repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "action", + "org_id", + "user_id", + "business", + "actor_id", + "@timestamp", + "_document_id", + "request_id", + "user", + "business_id", + "created_at", + "actor", + "org", + "operation_type", + "user_agent" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { @@ -2303,29 +3943,61 @@ "fields": [ "@timestamp", "_document_id", - "action", - "actor", + "user_agent", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "business", + "business_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "actor", + "action", + "operation_type" ] }, { "action": "members_can_view_dependency_insights.disable", "description": "The ability for enterprise members to view dependency insights was disabled. Members cannot view dependency insights in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-dependency-insights-in-your-enterprise", + "fields": [ + "business", + "created_at", + "user_id", + "business_id", + "user", + "org", + "operation_type", + "request_id", + "actor", + "_document_id", + "action", + "user_agent", + "actor_id", + "org_id", + "@timestamp" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "members_can_view_dependency_insights.enable", "description": "The ability for enterprise members to view dependency insights was enabled. Members can view dependency insights in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-dependency-insights-in-your-enterprise", + "fields": [ + "request_id", + "created_at", + "_document_id", + "user_agent", + "user", + "user_id", + "business", + "business_id", + "operation_type", + "@timestamp", + "action", + "actor", + "actor_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { @@ -2333,19 +4005,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2353,19 +4025,23 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2373,19 +4049,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2393,19 +4068,20 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2413,19 +4089,14 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "user", "@timestamp", "_document_id", + "user_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_access_security_header" ] }, { @@ -2433,19 +4104,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" ] }, { @@ -2453,19 +4124,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", + "action", "org", - "repo", - "user", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" ] }, { @@ -2473,19 +4143,23 @@ "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "repo", + "org_id", "_document_id", + "org", + "repo_id", "action", "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -2493,19 +4167,16 @@ "description": "A migration file for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance was deleted.", "docs_reference_links": "N/A", "fields": [ + "org", "@timestamp", - "_document_id", + "org_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "repo", + "_document_id", + "repo_id", + "request_access_security_header" ] }, { @@ -2513,97 +4184,309 @@ "description": "A migration file for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance was downloaded.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", + "org_id", + "request_id", + "oauth_application_id", + "repo_id", + "operation_type", + "@timestamp", + "user_agent", + "created_at", "org", + "action", + "_document_id", "repo", - "user", - "created_at", - "operation_type", + "actor", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { "action": "network_configuration.create", "description": "A network configuration for a hosted compute service was created.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "selected_service", + "network_settings_ids", + "previous_settings_ids", + "network_configuration_id" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "network_configuration.delete", "description": "A network configuration for a hosted compute service was deleted.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "network_configuration_id" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "network_configuration.update", "description": "A network configuration for a hosted compute service was updated.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "selected_service", + "network_settings_ids", + "previous_settings_ids" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", - "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" - }, - { - "action": "oauth_application.generate_client_secret", - "description": "An OAuth application's secret key was generated.", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], + "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" + }, + { + "action": "oauth_application.generate_client_secret", + "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "org.accept_business_invitation", "description": "An invitation sent to an organization to join an enterprise was accepted.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.add_billing_manager", "description": "A billing manager was added to an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization", + "fields": [ + "operation_type", + "_document_id", + "user_agent", + "org", + "user_id", + "action", + "created_at", + "org_id", + "user", + "actor", + "actor_id", + "@timestamp", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization" }, { @@ -2611,19 +4494,22 @@ "description": "An organization prevented access to resources by users with the given two-factor method.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", + "two_factor_method", "org", - "repo", + "org_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -2631,19 +4517,22 @@ "description": "A user joined an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "permission", "_document_id", - "action", - "actor", - "actor_id", - "business", "org", - "repo", + "operation_type", + "request_id", + "actor", "user", + "@timestamp", "created_at", - "operation_type", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -2651,19 +4540,24 @@ "description": "An outside collaborator was added to a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "inviter", "org", + "org_id", "repo", - "user", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2671,19 +4565,21 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "org_id", "org", - "repo", - "user", + "team", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "programmatic_access_type" ] }, { @@ -2691,18 +4587,19 @@ "description": "GitHub Advanced Security was disabled for new repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", "token_scopes" ] }, @@ -2711,18 +4608,21 @@ "description": "GitHub Advanced Security was disabled for all repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", "token_scopes" ] }, @@ -2731,18 +4631,19 @@ "description": "GitHub Advanced Security was enabled for new repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", "token_scopes" ] }, @@ -2751,18 +4652,21 @@ "description": "GitHub Advanced Security was enabled for all repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", "token_scopes" ] }, @@ -2770,30 +4674,105 @@ "action": "org.advanced_security_entity_policy_update", "description": "An enterprise owner updated the GitHub Advanced Security access policy for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "new_policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_disabled", "description": "An enterprise owner prevented GitHub Advanced Security features from being enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_enabled", "description": "An enterprise owner allowed GitHub Advanced Security features to be enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.allow_third_party_access_requests_from_outside_collaborators_disabled", "description": "Third-party application access for outside collaborators was disabled for the organization.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests" }, { "action": "org.allow_third_party_access_requests_from_outside_collaborators_enabled", "description": "Third-party application access for outside collaborators was enabled for the organization.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests" }, { @@ -2801,31 +4780,59 @@ "description": "The organization was archived.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "org.audit_log_export", "description": "An export of the organization audit log was created. If the export included a query, the log will list the query used and the number of audit log entries matching that query.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log", - "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log" - }, - { + "fields": [ + "org_id", + "operation_type", + "@timestamp", + "request_id", + "_document_id", + "actor", + "org", + "action", + "created_at", + "user_agent", + "actor_id" + ], + "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log" + }, + { "action": "org.audit_log_git_event_export", "description": "An export of the organization's Git events was created.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "start", + "end", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization" }, { @@ -2833,31 +4840,59 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "created_at", + "request_id", + "user_agent", + "action", "@timestamp", + "actor_id", + "org_id", "_document_id", - "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "org.block_user", "description": "An organization owner blocked a user from accessing the organization's repositories.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization", + "fields": [ + "actor", + "user_agent", + "org_id", + "created_at", + "_document_id", + "blocked_user", + "action", + "operation_type", + "actor_id", + "org", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization" }, { "action": "org.cancel_business_invitation", "description": "An invitation for an organization to join an enterprise was revoked", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "initiated_from" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { @@ -2865,19 +4900,22 @@ "description": "An invitation sent to a user to join an organization was revoked.", "docs_reference_links": "N/A", "fields": [ + "actor_id", + "org_id", + "request_id", + "email", "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", + "action", + "operation_type", + "user_agent", "org", - "repo", - "user", + "invitation_id", + "_document_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "invitee_email", + "token_scopes", + "programmatic_access_type" ] }, { @@ -2885,19 +4923,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" ] }, { @@ -2905,19 +4943,19 @@ "description": "Cleared two-factor authentication restrictions for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -2925,19 +4963,23 @@ "description": "Autofix for code scanning alerts was disabled for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -2945,19 +4987,21 @@ "description": "Autofix for code scanning alerts was enabled for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -2965,19 +5009,23 @@ "description": "Autofix for third party tools for code scanning alerts was disabled for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -2985,43 +5033,114 @@ "description": "Autofix for third party tools for code scanning alerts was enabled for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "org.codeql_disabled", "description": "Code scanning using the default setup was disabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codeql_enabled", "description": "Code scanning using the default setup was enabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codespaces_access_updated", "description": "Access to use Codespaces on internal and private repositories was updated for an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/enabling-or-disabling-github-codespaces-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enablement", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/enabling-or-disabling-github-codespaces-for-your-organization" }, { "action": "org.codespaces_ownership_updated", "description": "Ownership and payment for codespaces was updated for an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner_type", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization" }, { @@ -3029,19 +5148,18 @@ "description": "A team has been allowed to use Codespaces for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "team", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -3049,31 +5167,58 @@ "description": "A team has been prevented from using Codespaces for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "team", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "org.codespaces_trusted_repo_access_granted", "description": "GitHub Codespaces was granted trusted repository access to all other repositories in an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "org.codespaces_trusted_repo_access_revoked", "description": "GitHub Codespaces trusted repository access to all other repositories in an organization was revoked.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { @@ -3081,19 +5226,21 @@ "description": "A user has been allowed to use Codespaces for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -3101,55 +5248,135 @@ "description": "A user has been prevented from using Codespaces for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { "action": "org.config.disable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "request_id", + "org", + "action", + "operation_type", + "_document_id", + "actor", + "actor_id", + "@timestamp", + "user_agent", + "org_id", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "operation_type", + "@timestamp", + "created_at", + "user_agent", + "action", + "actor_id", + "org", + "_document_id", + "actor", + "org_id", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "_document_id", + "operation_type", + "actor_id", + "org_id", + "action", + "created_at", + "actor", + "org", + "@timestamp", + "user_agent", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "actor", + "org", + "org_id", + "request_id", + "operation_type", + "action", + "user_agent" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor", + "actor_id", + "org_id", + "action", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "org", + "created_at", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor_id", + "request_id", + "action", + "created_at", + "user_agent", + "actor", + "_document_id", + "org_id", + "operation_type", + "org", + "@timestamp" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { @@ -3157,49 +5384,126 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", + "token_id", + "token_scopes", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "org.confirm_business_invitation", "description": "An invitation for an organization to join an enterprise was confirmed.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.connect_usage_metrics_export", "description": "Server statistics were exported for the organization.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/analyzing-how-your-team-works-with-server-statistics/exporting-server-statistics", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Exporting Server Statistics" }, { "action": "org.create", "description": "An organization was created.", "docs_reference_links": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch", + "fields": [ + "request_id", + "org", + "actor_id", + "actor", + "action", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "org_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch" }, { "action": "org.create_actions_secret", "description": "A GitHub Actions secret was created for an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.create_actions_variable", "description": "A GitHub Actions variable was created for an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -3207,18 +5511,20 @@ "description": "A Codespaces or Dependabot secret was created for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "key", + "visibility", + "integration", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", "token_scopes" ] }, @@ -3226,18 +5532,90 @@ "action": "org_credential_authorization.deauthorize", "description": "A member removed the SSO (SAML or OIDC) authorization from a credential that had access to your organization.", "docs_reference_links": "/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor_id", + "org_id", + "business", + "action", + "@timestamp", + "org", + "_document_id", + "business_id", + "actor", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "oauth_credential_type", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Authorizing a personal access token for use with single sign-on" }, { "action": "org_credential_authorization.grant", "description": "A member authorized credentials for use with SAML or OIDC single sign-on.", "docs_reference_links": "/authentication/authenticating-with-saml-single-sign-on", + "fields": [ + "user_agent", + "actor", + "@timestamp", + "created_at", + "org_id", + "business_id", + "operation_type", + "request_id", + "_document_id", + "action", + "actor_id", + "business", + "org", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "oauth_credential_type", + "request_access_security_header", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Authenticating with single sign-on" }, { "action": "org_credential_authorization.revoke", "description": "An owner revoked authorized credentials.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization", + "fields": [ + "actor", + "org", + "@timestamp", + "owner", + "oauth_application_id", + "org_id", + "operation_type", + "action", + "business", + "request_id", + "created_at", + "business_id", + "actor_id", + "_document_id", + "user_agent", + "oauth_credential_type", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { @@ -3245,37 +5623,80 @@ "description": "An organization was deleted by a user or staff.", "docs_reference_links": "N/A", "fields": [ + "user_agent", "@timestamp", "_document_id", - "action", + "created_at", "actor", - "actor_id", - "business", + "org_id", "org", - "repo", - "user", - "created_at", + "action", + "actor_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "request_access_security_header" ] }, { "action": "org.disable_member_team_creation_permission", "description": "Team creation was limited to owners.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "actor", + "@timestamp", + "_document_id", + "user", + "user_id", + "action", + "created_at", + "actor_id", + "user_agent", + "org", + "org_id", + "operation_type", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.disable_oauth_app_restrictions", "description": "Third-party application access restrictions for an organization were disabled.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "fields": [ + "actor_id", + "org_id", + "action", + "_document_id", + "request_id", + "@timestamp", + "actor", + "org", + "operation_type", + "user_agent", + "created_at" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization" }, { "action": "org.disable_reader_discussion_creation_permission", "description": "An organization owner limited discussion creation to users with at least triage permission in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { @@ -3283,25 +5704,38 @@ "description": "SAML single sign-on was disabled for an organization.", "docs_reference_links": "N/A", "fields": [ + "org_id", + "sso_url", + "issuer", + "action", "@timestamp", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "operation_type" ] }, { "action": "org.disable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the organization was disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" }, { @@ -3309,19 +5743,17 @@ "description": "A two-factor authentication requirement was disabled for the organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "created_at", + "org", + "org_id", "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "@timestamp", + "_document_id", + "user_agent" ] }, { @@ -3329,19 +5761,19 @@ "description": "An organization owner disabled the display of a commenter's full name in an organization. Members cannot see a comment author's full name.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", + "user_id", "user", - "created_at", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "created_at", + "user_agent", + "org", + "actor_id", + "org_id", + "request_id" ] }, { @@ -3349,55 +5781,143 @@ "description": "An organization owner enabled the display of a commenter's full name in an organization. Members can see a comment author's full name.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "org", + "user_agent", + "request_id", + "actor", "_document_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "user", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id" ] }, { "action": "org.enable_member_team_creation_permission", "description": "Team creation by members was allowed.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "org_id", + "user", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "user_agent", + "actor_id", + "org", + "request_id", + "action", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.enable_oauth_app_restrictions", "description": "Third-party application access restrictions for an organization were enabled.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization", + "fields": [ + "actor_id", + "operation_type", + "org", + "created_at", + "_document_id", + "actor", + "org_id", + "action", + "user_agent", + "request_id", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization" }, { "action": "org.enable_reader_discussion_creation_permission", "description": "An organization owner allowed users with read access to create discussions in an organization", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.enable_saml", "description": "SAML single sign-on was enabled for the organization.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization", + "fields": [ + "actor_id", + "action", + "operation_type", + "actor", + "sso_url", + "org", + "created_at", + "@timestamp", + "issuer", + "org_id", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Enabling and testing SAML single sign-on for your organization" }, { "action": "org.enable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the organization was enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" }, { "action": "org.enable_two_factor_requirement", "description": "Two-factor authentication is now required for the organization.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "actor_id", + "action", + "_document_id", + "org", + "@timestamp", + "actor", + "user_agent", + "org_id", + "operation_type", + "created_at", + "request_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { @@ -3405,19 +5925,18 @@ "description": "An organization owner granted a member access to manage all GitHub Apps owned by an organization.", "docs_reference_links": "N/A", "fields": [ + "user_agent", + "org_id", + "manager", "@timestamp", - "_document_id", - "action", + "request_id", "actor", + "operation_type", + "_document_id", "actor_id", - "business", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "created_at" ] }, { @@ -3425,25 +5944,43 @@ "description": "An organization owner removed access to manage all GitHub Apps owned by an organization from an organization member.", "docs_reference_links": "N/A", "fields": [ + "org_id", "@timestamp", - "_document_id", + "org", + "user_agent", + "request_id", "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "manager", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "_document_id" ] }, { "action": "org.invite_member", "description": "A new user was invited to join an organization.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization", + "fields": [ + "org", + "user_id", + "invitation_id", + "org_id", + "user", + "action", + "operation_type", + "_document_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "actor_id", + "request_id", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization" }, { @@ -3451,19 +5988,19 @@ "description": "An organization was invited to join an enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -3471,19 +6008,19 @@ "description": "The ability for enterprise members to update protected branches was disabled. Only enterprise owners can update protected branches.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", + "org_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -3491,25 +6028,41 @@ "description": "The ability for enterprise members to update protected branches was enabled. Members of an organization can update protected branches.", "docs_reference_links": "N/A", "fields": [ + "org", + "org_id", + "user_agent", + "actor_id", + "user_id", + "operation_type", "@timestamp", + "created_at", + "request_id", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action" ] }, { "action": "org.oauth_app_access_approved", "description": "Access to an organization was granted for an OAuth App.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization", + "fields": [ + "url", + "actor", + "user_agent", + "request_id", + "actor_id", + "operation_type", + "org_id", + "_document_id", + "org", + "action", + "created_at", + "@timestamp", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization" }, { @@ -3517,25 +6070,41 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "url", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { "action": "org.oauth_app_access_denied", "description": "Access was disabled for an OAuth App that was previously approved.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization", + "fields": [ + "request_id", + "url", + "created_at", + "org_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "org", + "operation_type", + "actor", + "actor_id", + "oauth_application_name" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization" }, { @@ -3543,19 +6112,20 @@ "description": "An organization member requested that an owner grant an OAuth App access to an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "operation_type", + "created_at", + "user_agent", "actor_id", - "business", + "_document_id", + "request_id", + "url", + "org_id", + "action", + "@timestamp", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header", + "oauth_application_name" ] }, { @@ -3563,19 +6133,20 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "url", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -3584,78 +6155,231 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", - "_document_id", + "created_at", + "request_id", + "org_id", "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "user_agent", "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "org" ] }, { "action": "org.recovery_code_failed", "description": "An organization owner failed to sign into a organization with an external identity provider (IdP) using a recovery code.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "reason", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing your organization if your identity provider is unavailable" }, { "action": "org.recovery_code_used", "description": "An organization owner successfully signed into an organization with an external identity provider (IdP) using a recovery code.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Accessing your organization if your identity provider is unavailable" }, { "action": "org.recovery_codes_downloaded", "description": "An organization owner downloaded the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_generated", "description": "An organization owner generated the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_printed", "description": "An organization owner printed the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_viewed", "description": "An organization owner viewed the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization", + "fields": [ + "actor", + "operation_type", + "@timestamp", + "_document_id", + "request_id", + "org", + "org_id", + "action", + "created_at", + "user_agent", + "actor_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "org.remove_actions_secret", "description": "A GitHub Actions secret was removed from an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.remove_actions_variable", "description": "A GitHub Actions variable was removed from an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "org.remove_billing_manager", "description": "A billing manager was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "user_id", + "user_agent", + "org_id", + "user", + "action", + "_document_id", + "operation_type", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "created_at" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { @@ -3663,19 +6387,22 @@ "description": "Removed a two-factor authentication method restriction for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", + "two_factor_method", "org", - "repo", + "org_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -3683,18 +6410,21 @@ "description": "A Codespaces or Dependabot secret was removed from an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "key", + "integration", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", "token_scopes" ] }, @@ -3703,19 +6433,21 @@ "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", - "action", - "actor", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", "created_at", + "user", "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id", + "org", + "token_scopes", + "programmatic_access_type" ] }, { @@ -3723,19 +6455,21 @@ "description": "An outside collaborator was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", "org", - "repo", "user", + "org_id", "created_at", + "request_id", + "@timestamp", + "action", "operation_type", + "user_agent", + "_document_id", + "actor", + "actor_id", + "user_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -3743,25 +6477,41 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "org_id", "org", - "repo", - "user", + "team", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "programmatic_access_type" ] }, { "action": "org.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization", + "fields": [ + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor_id", + "org", + "created_at", + "actor", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { @@ -3769,151 +6519,514 @@ "description": "An organization was renamed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user_agent", "_document_id", + "@timestamp", + "org", "action", "actor", + "old_login", + "org_id", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_access_security_header" ] }, { "action": "org.required_workflow_create", "description": "Triggered when a required workflow is created.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.required_workflow_delete", "description": "Triggered when a required workflow is deleted.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.required_workflow_update", "description": "Triggered when a required workflow is updated.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.restore_member", "description": "An organization member was restored.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization", + "fields": [ + "user", + "actor", + "user_id", + "_document_id", + "action", + "created_at", + "org_id", + "operation_type", + "request_id", + "@timestamp", + "user_agent", + "org", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization" }, { "action": "org.revoke_external_identity", "description": "A member's linked identity was revoked.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity", + "fields": [ + "actor", + "org", + "org_id", + "user", + "operation_type", + "user_id", + "@timestamp", + "action", + "actor_id", + "user_agent", + "_document_id", + "request_id", + "created_at" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.revoke_sso_session", "description": "A member's SAML session was revoked.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity", + "fields": [ + "actor_id", + "created_at", + "user", + "action", + "operation_type", + "@timestamp", + "org", + "org_id", + "user_agent", + "request_id", + "actor", + "user_id", + "_document_id" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.runner_group_created", "description": "A self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_removed", "description": "A self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_renamed", "description": "A self-hosted runner group was renamed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runner_removed", "description": "The REST API was used to remove a self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "org.runner_group_runners_added", "description": "A self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runners_updated", "description": "A runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "org.runner_group_updated", "description": "The configuration of a self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_visiblity_updated", "description": "The visibility of a self-hosted runner group was updated via the REST API.", "docs_reference_links": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization", - "docs_reference_titles": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization" - }, - { - "action": "org_secret_scanning_automatic_validity_checks.disabled", - "description": "Automatic partner validation checks have been disabled at the organization level", - "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", - "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "visibility", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], + "docs_reference_titles": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization" + }, + { + "action": "org_secret_scanning_automatic_validity_checks.disabled", + "description": "Automatic partner validation checks have been disabled at the organization level", + "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], + "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { @@ -3921,19 +7034,22 @@ "description": "Generic secrets have been disabled at the organization level", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -3941,109 +7057,374 @@ "description": "Generic secrets have been enabled at the organization level", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { "action": "org_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_disabled", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_enabled", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_updated", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_disable", "description": "Push protection for secret scanning was disabled.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_enable", "description": "Push protection for secret scanning was enabled.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_disable", "description": "Push protection for secret scanning was disabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", - "docs_reference_titles": "About push protection" - }, - { - "action": "org.secret_scanning_push_protection_new_repos_enable", - "description": "Push protection for secret scanning was enabled for all new repositories in the organization.", - "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], + "docs_reference_titles": "About push protection" + }, + { + "action": "org.secret_scanning_push_protection_new_repos_enable", + "description": "Push protection for secret scanning was enabled for all new repositories in the organization.", + "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed", "description": "The push protection setting was changed for a secret type for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "secret_type", + "secret_type_display_name", + "push_protection_setting" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { @@ -4051,19 +7432,27 @@ "description": "A CSV export was requested on the CodeQL pull request alerts page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { @@ -4071,19 +7460,26 @@ "description": "A CSV export was requested on the Coverage page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -4091,19 +7487,28 @@ "description": "A CSV export was requested on the Overview Dashboard page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -4111,55 +7516,137 @@ "description": "A CSV export was requested on the Risk page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "org.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "org_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { @@ -4167,37 +7654,77 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user_agent", "_document_id", - "action", + "org_id", + "operation_type", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "@timestamp", + "request_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "action" ] }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { @@ -4205,31 +7732,68 @@ "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", + "user_agent", "actor", "actor_id", - "business", + "org_id", + "@timestamp", "org", - "repo", - "user", - "created_at", + "issuer", + "business", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_id", + "business_id", + "_document_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "org.transfer", "description": "An organization was transferred between enterprise accounts.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "from_business", + "to_business", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.transfer_outgoing", "description": "An organization was transferred between enterprise accounts.", "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "business", + "business_id", + "from_business", + "to_business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { @@ -4237,43 +7801,107 @@ "description": "The organization was unarchived.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "org.unblock_user", "description": "A user was unblocked from an organization.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization", + "fields": [ + "oauth_application_id", + "_document_id", + "blocked_user", + "action", + "operation_type", + "@timestamp", + "request_id", + "created_at", + "actor", + "actor_id", + "org", + "org_id", + "user_agent" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization" }, { "action": "org.update_actions_secret", "description": "A GitHub Actions secret was updated for an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "created_at", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.update_actions_settings", "description": "An organization owner or site administrator updated GitHub Actions policy settings for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "updated_allowed_types", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization" }, { "action": "org.update_actions_variable", "description": "A GitHub Actions variable was updated for an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -4281,19 +7909,20 @@ "description": "The default repository permission level for organization members was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "org", + "org_id", + "request_id", + "@timestamp", + "user_agent", + "permission", + "actor_id", + "old_permission", + "_document_id", + "programmatic_access_type" ] }, { @@ -4301,19 +7930,22 @@ "description": "A Codespaces or Dependabot secret was updated for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "key", + "visibility", + "integration", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -4322,18 +7954,20 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", + "org_id", + "created_at", "_document_id", + "user", + "user_id", "action", - "actor", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "old_permission", + "permission", + "actor", + "user_agent", "operation_type", - "programmatic_access_type", - "token_scopes" + "org" ] }, { @@ -4341,31 +7975,60 @@ "description": "The create repository permission for organization members was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "action", + "@timestamp", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", + "permission", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "org.update_new_repository_default_branch_setting", "description": "The name of the default branch was changed for new repositories in the organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization" }, { @@ -4373,19 +8036,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "old_repo_runners_policy", + "new_repo_runners_policy", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4393,67 +8056,173 @@ "description": "An organization's SAML provider settings were updated.", "docs_reference_links": "N/A", "fields": [ + "user_agent", + "sso_url", + "actor_id", + "operation_type", "@timestamp", + "issuer", + "org", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", - "user", + "org_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "action" ] }, { "action": "org.update_terms_of_service", "description": "An organization changed between the Standard Terms of Service and the GitHub Customer Agreement.", "docs_reference_links": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement", + "fields": [ + "request_id", + "org_id", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org", + "action", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement" }, { "action": "organization_default_label.create", "description": "A default label was created for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#creating-a-default-label", + "fields": [ + "request_id", + "actor_id", + "actor", + "org", + "org_id", + "operation_type", + "_document_id", + "action", + "created_at", + "@timestamp", + "user_agent", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#creating-a-default-label" }, { "action": "organization_default_label.destroy", "description": "A default label was deleted for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#deleting-a-default-label", + "fields": [ + "operation_type", + "request_id", + "actor", + "@timestamp", + "_document_id", + "actor_id", + "org_id", + "org", + "action", + "created_at", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#deleting-a-default-label" }, { "action": "organization_default_label.update", "description": "A default label was edited for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#editing-a-default-label", + "fields": [ + "org", + "created_at", + "@timestamp", + "actor", + "action", + "user_agent", + "actor_id", + "org_id", + "operation_type", + "request_id", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#editing-a-default-label" }, { "action": "organization_domain.approve", "description": "A domain was approved for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization" }, { "action": "organization_domain.create", "description": "A domain was added to an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "created_at", + "_document_id", + "domain_name", + "action", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "user_agent", + "actor" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "organization_domain.destroy", "description": "A domain was removed from an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain", + "fields": [ + "action", + "domain_name", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "created_at" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain" }, { "action": "organization_domain.verify", "description": "A domain was verified for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "operation_type", + "domain_name", + "@timestamp", + "user_agent", + "request_id", + "actor", + "action", + "created_at", + "_document_id", + "actor_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { @@ -4461,19 +8230,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "team", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4481,19 +8249,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4501,19 +8269,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "team", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4521,67 +8288,222 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "programmatic_access_type" ] }, { "action": "organization_projects_change.clear", "description": "An enterprise owner cleared the policy setting for organization-wide project boards in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "actor", + "business_id", + "@timestamp", + "actor_id", + "user", + "user_id", + "action", + "user_agent", + "_document_id", + "created_at", + "operation_type", + "request_id", + "business" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_projects_change.disable", "description": "Organization projects were disabled for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "org_id", + "action", + "user", + "org", + "created_at", + "user_agent", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "actor", + "user_id", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_projects_change.enable", "description": "Organization projects were enabled for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "actor_id", + "org_id", + "created_at", + "user_id", + "org", + "@timestamp", + "_document_id", + "user_agent", + "actor", + "request_id", + "user", + "action", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_role.assign", "description": "An organization role was assigned to a user or team.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "organization_role_id", + "organization_role_name", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.create", "description": "A custom organization role was created in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", - "docs_reference_titles": "About custom organization roles" - }, - { - "action": "organization_role.destroy", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], + "docs_reference_titles": "About custom organization roles" + }, + { + "action": "organization_role.destroy", "description": "A custom organization role was deleted in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.revoke", "description": "A user or team was unassigned an organization role.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "organization_role_id", + "organization_role_name", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.update", "description": "A custom organization role was edited in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "old_role_permissions", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "old_base_role" + ], "docs_reference_titles": "About custom organization roles" }, { @@ -4589,25 +8511,45 @@ "description": "An organization's default project base role was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "old_project_base_role", + "new_project_base_role", "business", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { "action": "packages.package_deleted", "description": "An entire package was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { @@ -4615,25 +8557,49 @@ "description": "A package was published or republished to an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", + "actor", "org", + "org_id", "repo", - "user", - "created_at", + "repo_id", + "package", + "ecosystem", + "version_count", + "is_republished", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" ] }, { "action": "packages.package_version_deleted", "description": "A specific package version was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "version", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "ecosystem", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { @@ -4641,37 +8607,87 @@ "description": "A specific package version was published or republished to a package.", "docs_reference_links": "N/A", "fields": [ + "org_id", + "ecosystem", + "package", + "version", + "actor_id", + "user_agent", + "is_republished", + "actor", + "action", + "operation_type", "@timestamp", + "created_at", "_document_id", - "action", - "actor", - "actor_id", "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "business_id", + "actor_is_bot" ] }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { @@ -4679,19 +8695,18 @@ "description": "A new payment method was added, such as a new credit card or PayPal account.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", "_document_id", "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -4699,19 +8714,16 @@ "description": "A payment method was removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "_document_id", + "request_access_security_header" ] }, { @@ -4719,25 +8731,40 @@ "description": "An existing payment method was updated.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", "@timestamp", - "_document_id", "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "_document_id", + "request_access_security_header" ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { @@ -4745,19 +8772,22 @@ "description": "The configured restriction for access to resources via personal access tokens was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "programmatic_access_type", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -4765,25 +8795,44 @@ "description": "The configured restriction for access to resources via personal access tokens was enabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "programmatic_access_type", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { @@ -4791,19 +8840,21 @@ "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "request_access_security_header", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -4811,19 +8862,21 @@ "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "request_access_security_header", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -4831,19 +8884,23 @@ "description": "A personal access token expiration limit was set.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", + "user_agent", + "request_id", "programmatic_access_type", - "token_scopes" + "token_expiration", + "old_token_expiration", + "exempt_administrators", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -4851,19 +8908,21 @@ "description": "A personal access token expiration limit was unset.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "old_token_expiration", "business", - "org", - "repo", - "user", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -4871,55 +8930,165 @@ "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "user_programmatic_access_name", "org", - "repo", - "user", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_programmatic_access_request_id" ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "prebuild_configuration.create", "description": "A GitHub Codespaces prebuild configuration for a repository was created.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.destroy", "description": "A GitHub Codespaces prebuild configuration for a repository was deleted.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.run_triggered", "description": "A user initiated a run of a GitHub Codespaces prebuild configuration for a repository branch.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.update", "description": "A GitHub Codespaces prebuild configuration for a repository was edited.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { @@ -4927,19 +9096,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4947,19 +9114,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4967,19 +9134,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4987,19 +9152,19 @@ "description": "An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", + "user_id", "action", - "actor", + "operation_type", + "@timestamp", + "business_id", "actor_id", - "business", - "org", - "repo", "user", + "business", + "request_id", + "actor", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id" ] }, { @@ -5007,19 +9172,23 @@ "description": "An enterprise owner disabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are never allowed to be forked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "repo_id", + "created_at", + "actor_id", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "repo", + "action", + "user_agent", + "@timestamp", + "org", "operation_type", + "request_id", + "user_id", + "org_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5027,19 +9196,23 @@ "description": "An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "actor_id", + "user_id", + "operation_type", "_document_id", "action", - "actor", - "actor_id", - "business", - "org", + "@timestamp", "repo", + "org", + "business", + "user_agent", + "request_id", + "actor", + "repo_id", "user", + "org_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "business_id" ] }, { @@ -5047,19 +9220,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -5067,19 +9240,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -5087,19 +9260,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -5107,25 +9280,39 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { @@ -5133,19 +9320,17 @@ "description": "A project board visibility was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", + "actor", + "user_agent", + "operation_type", "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" ] }, { @@ -5153,25 +9338,48 @@ "description": "A project's base role was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "old_project_base_role", + "new_project_base_role", + "project_number", + "public_project", "business", + "project_id", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { @@ -5179,19 +9387,25 @@ "description": "A collaborator was added to a project.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "collaborator_type", "org", - "repo", - "user", + "org_id", + "collaborator", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "public_project", + "project_name", + "project_role", + "old_project_role", + "request_access_security_header" ] }, { @@ -5199,19 +9413,20 @@ "description": "A collaborator was removed from a project.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "collaborator_type", "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5219,19 +9434,25 @@ "description": "A project collaborator's permission level was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "public_project", + "project_name", + "collaborator_type", + "project_role", + "old_project_role", + "project_id", "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5239,19 +9460,17 @@ "description": "A project board was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "operation_type", + "user", "_document_id", - "action", - "actor", + "request_id", + "user_id", + "user_agent", + "@timestamp", "actor_id", - "business", - "org", - "repo", - "user", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "actor" ] }, { @@ -5259,31 +9478,57 @@ "description": "A project board was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "request_id", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { @@ -5291,25 +9536,41 @@ "description": "A repository was linked to a project board.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "repo_id", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "org_id", + "user_agent", + "request_id", + "actor", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { @@ -5317,19 +9578,22 @@ "description": "A project board was renamed.", "docs_reference_links": "N/A", "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", "@timestamp", + "repo", "_document_id", - "action", + "user_agent", + "org_id", + "business_id", "actor", - "actor_id", - "business", + "repo_id", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "business" ] }, { @@ -5337,19 +9601,19 @@ "description": "A repository was unlinked from a project board.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "repo", + "repo_id", + "operation_type", "actor", + "action", + "created_at", "actor_id", - "business", + "_document_id", + "request_id", + "@timestamp", + "user_agent", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id" ] }, { @@ -5357,19 +9621,17 @@ "description": "The project's base-level permission for all organization members was changed or removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "@timestamp", + "_document_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" ] }, { @@ -5377,19 +9639,18 @@ "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "org_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" ] }, { @@ -5397,31 +9658,60 @@ "description": "A user was added to or removed from a project board or had their permission level changed.", "docs_reference_links": "N/A", "fields": [ + "request_id", + "user_id", + "operation_type", "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_agent", + "actor", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { @@ -5429,19 +9719,20 @@ "description": "A project's visibility was changed from public to private.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "project_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "project_kind", + "project_name" ] }, { @@ -5449,25 +9740,45 @@ "description": "A project's visibility was changed from private to public.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "project_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "project_kind", + "project_name", + "request_access_security_header" ] }, { "action": "protected_branch.authorized_users_teams", "description": "The users, teams, or integrations allowed to bypass a branch protection were changed.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "fields": [ + "repo", + "action", + "org_id", + "user_agent", + "name", + "created_at", + "_document_id", + "operation_type", + "actor", + "repo_id", + "org", + "request_id", + "actor_id", + "oauth_application_id", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches" }, { @@ -5475,19 +9786,29 @@ "description": "A protected branch allowance was given to a specific user, team or integration.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", + "name", + "authorized_actors", + "policy", "repo", - "user", - "created_at", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -5495,19 +9816,27 @@ "description": "Branch protection was enabled on a branch.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "repo_id", + "user_id", "@timestamp", + "user_agent", + "repo", + "name", + "org_id", + "user", "_document_id", - "action", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "authorized_actor_names", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" ] }, { @@ -5515,19 +9844,24 @@ "description": "Branch protection was disabled on a branch.", "docs_reference_links": "N/A", "fields": [ + "name", + "repo", "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "actor_id", + "request_id", + "repo_id", + "org_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "user_agent", + "created_at", + "_document_id", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" ] }, { @@ -5535,19 +9869,22 @@ "description": "Enforcement of dismissing stale pull requests was updated on a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", + "dismiss_stale_reviews_on_push", + "org_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "request_id", + "_document_id", + "@timestamp", + "actor_id", + "repo_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "repo", + "org", + "name", + "programmatic_access_type" ] }, { @@ -5555,19 +9892,24 @@ "description": "Enforcement of restricting users and/or teams who can dismiss reviews was updated on a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "repo", + "repo_id", "actor", + "oauth_application_id", + "authorized_actors_only", + "authorized_actors", + "created_at", + "user_agent", + "name", + "_document_id", + "org_id", + "request_id", + "@timestamp", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "programmatic_access_type" ] }, { @@ -5575,19 +9917,32 @@ "description": "A branch protection requirement was overridden by a repository administrator.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "repo_id", + "created_at", "actor", + "reasons", + "@timestamp", + "before", + "after", "actor_id", - "business", - "org", "repo", - "user", - "created_at", "operation_type", + "user_agent", + "branch", + "overridden_codes", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "referrer", + "business", + "business_id", + "deploy_key_fingerprint", + "token_scopes", "programmatic_access_type", - "token_scopes" + "compliant_pull_request_ids", + "rule_suite_id" ] }, { @@ -5595,19 +9950,31 @@ "description": "A branch update attempt was rejected.", "docs_reference_links": "N/A", "fields": [ + "repo", + "org", "@timestamp", + "created_at", "_document_id", - "action", - "actor", - "actor_id", "business", - "org", - "repo", - "user", - "created_at", + "org_id", "operation_type", + "request_id", + "repo_id", + "actor", + "branch", + "before", + "overridden_codes", + "after", + "action", + "reasons", + "actor_id", + "business_id", + "deploy_key_fingerprint", + "token_scopes", "programmatic_access_type", - "token_scopes" + "compliant_pull_request_ids", + "actor_is_bot", + "rule_suite_id" ] }, { @@ -5615,19 +9982,23 @@ "description": "Branch protection was enforced for repository administrators.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "request_id", "actor_id", - "business", + "admin_enforced", + "operation_type", + "user_agent", + "actor", "org", + "name", "repo", - "user", + "@timestamp", + "action", + "repo_id", + "org_id", + "_document_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "programmatic_access_type" ] }, { @@ -5635,19 +10006,22 @@ "description": "Branch deletion was enabled or disabled for a protected branch.", "docs_reference_links": "N/A", "fields": [ + "name", + "operation_type", + "request_id", + "repo", "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", + "org_id", "org", - "repo", - "user", + "action", + "allow_deletions_enforcement_level", + "_document_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_id", + "user_agent", + "actor", + "repo_id", + "request_access_security_header" ] }, { @@ -5655,25 +10029,49 @@ "description": "Force pushes were enabled or disabled for a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "org_id", + "actor_id", + "name", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "allow_force_pushes_enforcement_level", + "@timestamp", + "org", + "action", + "created_at", + "user_agent", + "repo_id", + "token_scopes", + "programmatic_access_type" ] }, { "action": "protected_branch.update_ignore_approvals_from_contributors", "description": "Ignoring of approvals from contributors to a pull request was enabled or disabled for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "ignore_approvals_from_contributors", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { @@ -5681,37 +10079,99 @@ "description": "Required linear commit history was enabled or disabled for a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "actor_id", "action", + "user_agent", + "operation_type", "actor", - "actor_id", - "business", - "org", + "linear_history_requirement_enforcement_level", "repo", - "user", + "request_id", + "name", + "org_id", + "repo_id", + "org", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "programmatic_access_type" ] }, { "action": "protected_branch.update_lock_allows_fetch_and_merge", "description": "Fork syncing was enabled or disabled for a read-only branch", "docs_reference_links": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "lock_allows_fetch_and_merge", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_lock_branch_enforcement_level", "description": "The enforcement of a branch lock was updated.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "enforcement_level", + "lock_branch_enforcement_level", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { @@ -5719,19 +10179,24 @@ "description": "A branch name pattern was updated for a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "name", + "old_name", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5739,19 +10204,25 @@ "description": "Enforcement of required pull request reviews was updated for a branch. Can be 0 (deactivated), 1 (non-admins), or 2 (everyone).", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "name", + "org_id", "_document_id", - "action", - "actor", "actor_id", - "business", + "@timestamp", + "business_id", + "request_id", + "pull_request_reviews_enforcement_level", "org", "repo", - "user", + "action", + "business", + "user_agent", "created_at", + "repo_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "token_scopes", + "programmatic_access_type" ] }, { @@ -5759,25 +10230,46 @@ "description": "Enforcement of required code owner review was updated for a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "org_id", + "created_at", + "require_code_owner_review", + "operation_type", + "name", + "user_agent", "action", + "@timestamp", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "org", + "repo_id", + "_document_id", + "programmatic_access_type" ] }, { "action": "protected_branch.update_require_last_push_approval", "description": "Someone other than the person who pushed the last code-modifying commit to the branch must approve pull requests for the branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "require_last_push_approval", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging" }, { @@ -5785,19 +10277,22 @@ "description": "Enforcement of the required number of approvals before merging was updated on a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", + "required_approving_review_count", "repo", - "user", + "request_id", + "repo_id", "created_at", + "actor", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "name", + "org_id", + "action", + "actor_id", + "_document_id", + "org", + "@timestamp", + "programmatic_access_type" ] }, { @@ -5805,19 +10300,25 @@ "description": "Enforcement of required status checks was updated for a branch.", "docs_reference_links": "N/A", "fields": [ + "actor", + "org_id", + "user_agent", "@timestamp", "_document_id", + "name", + "repo", "action", - "actor", - "actor_id", + "business_id", + "repo_id", "business", - "org", - "repo", - "user", - "created_at", + "actor_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_id", + "required_status_checks_enforcement_level", + "org", + "token_scopes", + "programmatic_access_type" ] }, { @@ -5825,19 +10326,22 @@ "description": "Enforcement of required commit signing was updated for a branch.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "name", "@timestamp", + "created_at", "_document_id", + "request_id", + "repo_id", + "org", + "org_id", "action", "actor", "actor_id", - "business", - "org", + "signature_requirement_enforcement_level", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "programmatic_access_type" ] }, { @@ -5845,85 +10349,286 @@ "description": "Enforcement of required status checks was updated for a branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "request_id", "actor_id", - "business", + "_document_id", "org", - "repo", - "user", + "@timestamp", "created_at", + "repo_id", + "org_id", + "user_agent", + "name", + "actor", + "repo", "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "strict_required_status_checks_policy", + "programmatic_access_type" ] }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verify", "description": "A user account's SSH key or a repository's deploy key was verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "pull_request.close", "description": "A pull request was closed without being merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request" }, { "action": "pull_request.converted_to_draft", "description": "A pull request was converted to a draft.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft" }, { "action": "pull_request.create", "description": "A pull request was created.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request" }, { "action": "pull_request.create_review_request", "description": "A review was requested on a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { @@ -5931,19 +10636,17 @@ "description": "A pull request was marked as in progress.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "pull_request_id", + "business_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -5951,31 +10654,64 @@ "description": "A pull request was considered merged because the pull request's commits were merged into the target branch.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "pull_request_id", + "business_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" ] }, { "action": "pull_request.merge", "description": "A pull request was merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request" }, { "action": "pull_request.ready_for_review", "description": "A pull request was marked as ready for review.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review" }, { @@ -5983,25 +10719,52 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "pull_request_id", + "pull_request_url", + "pull_request_title", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "pull_request.remove_review_request", "description": "A review request was removed from a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { @@ -6009,25 +10772,39 @@ "description": "A pull request was reopened after previously being closed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "pull_request_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" ] }, { "action": "pull_request_review_comment.create", "description": "A review comment was added to a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "comment_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { @@ -6035,19 +10812,20 @@ "description": "A review comment on a pull request was deleted.", "docs_reference_links": "N/A", "fields": [ + "user_agent", + "actor", "@timestamp", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", "repo", - "user", "created_at", + "request_id", + "comment_id", + "actor_id", + "repo_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "programmatic_access_type" ] }, { @@ -6055,19 +10833,18 @@ "description": "A review comment on a pull request was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "operation_type", + "user_agent", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "_document_id", + "@timestamp", + "comment_id", + "token_scopes", + "programmatic_access_type" ] }, { @@ -6075,73 +10852,239 @@ "description": "A review on a pull request was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "pull_request_id", + "review_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "pull_request_review.dismiss", "description": "A review on a pull request was dismissed.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review" }, { "action": "pull_request_review.submit", "description": "A review on a pull request was submitted.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { @@ -6149,42 +11092,46 @@ "description": "Pull request merge options were changed for a repository.", "docs_reference_links": "N/A", "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", "@timestamp", "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "action", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "token_scopes", + "programmatic_access_type", + "actor_is_bot" ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { @@ -6192,36 +11139,24 @@ "description": "Autofix for code scanning alerts was disabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -6229,36 +11164,24 @@ "description": "Autofix for code scanning alerts was enabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -6266,36 +11189,24 @@ "description": "Autofix for third party tools for code scanning alerts was disabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -6303,42 +11214,51 @@ "description": "Autofix for third party tools for code scanning alerts was enabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { @@ -6346,36 +11266,19 @@ "description": "Prevention of direct alert dismissal for code scanning was disabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "request_access_security_header", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "repo_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" ] }, { @@ -6383,54 +11286,102 @@ "description": "Prevention of direct alert dismissal for code scanning was enabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "request_access_security_header", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "repo_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" ] }, { "action": "repo.codeql_disabled", "description": "Code scanning using the default setup was disabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_enabled", "description": "Code scanning using the default setup was enabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "query_suite", + "threat_model", + "languages", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_updated", "description": "Code scanning using the default setup was updated for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "query_suite", + "threat_model", + "languages", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { @@ -6438,36 +11389,20 @@ "description": "GitHub Codespaces was granted trusted repository access to this repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "@timestamp", + "created_at", + "_document_id", + "public_repo" ] }, { @@ -6475,72 +11410,136 @@ "description": "GitHub Codespaces trusted repository access to this repository was revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { @@ -6548,54 +11547,108 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", + "oauth_application_id", + "token_id", + "token_scopes", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" }, { "action": "repo.create_actions_secret", "description": "A GitHub Actions secret was created for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -6603,48 +11656,77 @@ "description": "A Codespaces or Dependabot secret was created for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "key", + "visibility", + "integration", "repo", - "user", - "created_at", + "repo_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "@timestamp", + "created_at", + "_document_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "programmatic_access_type", + "request_access_security_header" ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { "action": "repo.download_zip", "description": "A source code archive of a repository was downloaded as a ZIP file.", "docs_reference_links": "/repositories/working-with-files/using-files/downloading-source-code-archives", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/working-with-files/using-files/downloading-source-code-archives" }, { @@ -6652,36 +11734,23 @@ "description": "A GitHub Pages custom domain was modified in a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "@timestamp", + "visibility", "repo", + "repo_id", "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", "created_at", + "_document_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "old_cname", + "programmatic_access_type" ] }, { @@ -6689,36 +11758,21 @@ "description": "A GitHub Pages site was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "actor_id", + "user", "_document_id", + "user_id", + "visibility", "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", "actor", - "actor_id", - "business", - "org", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "programmatic_access_type" ] }, { @@ -6726,36 +11780,21 @@ "description": "A GitHub Pages site was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "created_at", + "user_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "request_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "operation_type", + "repo_id", + "programmatic_access_type" ] }, { @@ -6763,36 +11802,22 @@ "description": "HTTPS redirects were disabled for a GitHub Pages site.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user", + "actor_id", + "repo_id", "_document_id", - "action", + "user_agent", "actor", - "actor_id", - "business", - "org", + "visibility", + "user_id", + "request_id", "repo", - "user", - "created_at", + "@timestamp", "operation_type", + "action", + "created_at", "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -6800,73 +11825,42 @@ "description": "HTTPS redirects were enabled for a GitHub Pages site.", "docs_reference_links": "N/A", "fields": [ + "request_id", "@timestamp", - "_document_id", - "action", + "user_agent", + "user_id", + "created_at", + "visibility", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" ] }, { "action": "repo.pages_private", "description": "A GitHub Pages site visibility was changed to private.", "docs_reference_links": "N/A", - "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -6874,36 +11868,22 @@ "description": "A GitHub Pages site visibility was changed to public.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -6911,36 +11891,18 @@ "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", + "visibility", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -6948,36 +11910,22 @@ "description": "A GitHub Pages site that was previously soft-deleted was restored.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "visibility", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -6985,54 +11933,91 @@ "description": "A GitHub Pages source was modified.", "docs_reference_links": "N/A", "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", "@timestamp", + "repo_id", + "user", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", + "request_id", + "visibility", "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "action", + "programmatic_access_type" ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -7040,48 +12025,74 @@ "description": "A Codespaces or Dependabot secret was deleted for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "key", + "integration", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "@timestamp", + "created_at", + "_document_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { @@ -7089,42 +12100,49 @@ "description": "A topic was removed from a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user", "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", "actor", - "actor_id", "business", - "org", + "request_id", "repo", - "user", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { @@ -7132,36 +12150,26 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "old_branch", + "new_branch", + "default_branch", "repo", + "repo_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "@timestamp", + "created_at", + "_document_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "token_scopes", + "programmatic_access_type", + "actor_is_bot" ] }, { @@ -7169,90 +12177,216 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "repo", "action", - "actor", + "_document_id", "actor_id", - "business", - "org", - "repo", "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" ] }, { "action": "repo.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "repo_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { @@ -7262,40 +12396,42 @@ "fields": [ "@timestamp", "_document_id", - "action", - "actor", + "user_agent", "actor_id", - "business", + "created_at", + "actor", + "repo_id", + "action", "org", + "org_id", + "request_id", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "operation_type" ] }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { @@ -7303,36 +12439,23 @@ "description": "A repository was transferred to another repository network.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -7342,83 +12465,94 @@ "fields": [ "@timestamp", "_document_id", + "operation_type", + "user_id", + "request_id", + "user", "action", + "user_agent", + "created_at", "actor", + "visibility", + "repo_id", "actor_id", - "business", - "org", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.update_actions_access_settings", "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", "docs_reference_links": "N/A", - "fields": [ - "@timestamp", - "_document_id", - "action", + "fields": [ + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", + "policy", + "old_policy", "repo", - "user", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "business", + "business_id" ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { @@ -7426,42 +12560,52 @@ "description": "A repository administrator changed GitHub Actions policy settings for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "actor_is_bot" ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -7469,36 +12613,23 @@ "description": "The default branch for a repository was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", "repo", + "repo_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "programmatic_access_type", + "actor_is_bot" ] }, { @@ -7506,36 +12637,26 @@ "description": "A Codespaces or Dependabot secret was updated for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "key", + "visibility", + "integration", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "@timestamp", + "created_at", + "_document_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "token_scopes", + "programmatic_access_type", + "request_access_security_header" ] }, { @@ -7543,42 +12664,56 @@ "description": "A user's permission to a repository was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", "action", + "_document_id", "actor", - "actor_id", - "business", - "org", - "repo", - "user", + "repo_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", "oauth_application_id", - "permission", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", "visibility", - "public_repo", - "key", - "name", - "owner", "old_permission", - "new_permission" + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" ] }, { "action": "repository_advisory.close", "description": "Someone closed a security advisory.", "docs_reference_links": "/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories", + "fields": [ + "actor", + "repo", + "@timestamp", + "business", + "business_id", + "user_agent", + "actor_id", + "request_id", + "action", + "operation_type", + "created_at", + "repo_id", + "_document_id", + "org", + "org_id", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories" }, { @@ -7586,19 +12721,19 @@ "description": "Someone requested a CVE (Common Vulnerabilities and Exposures) number from GitHub for a draft security advisory.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "repo_id", + "repo", + "org_id", "actor", - "actor_id", - "business", + "action", + "request_id", "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "user_agent", + "actor_id", + "_document_id", + "created_at" ] }, { @@ -7606,19 +12741,18 @@ "description": "GitHub made a security advisory public in the GitHub Advisory Database.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "public_repo" ] }, { @@ -7626,19 +12760,21 @@ "description": "GitHub withdrew a security advisory that was published in error.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -7646,19 +12782,18 @@ "description": "Someone opened a draft security advisory.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "operation_type", + "user_agent", "actor_id", - "business", - "org", + "actor", "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "repo_id", + "action", + "@timestamp", + "request_id", + "request_access_security_header" ] }, { @@ -7666,19 +12801,21 @@ "description": "Someone published a security advisory.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "user_agent", + "actor_id", "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "repo_id", + "_document_id", "repo", - "user", + "business_id", + "business", + "request_id", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id", + "org" ] }, { @@ -7686,19 +12823,18 @@ "description": "Someone reopened as draft security advisory.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "user_agent", + "repo", + "action", + "created_at", "@timestamp", + "request_id", + "actor_id", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "repo_id", + "public_repo" ] }, { @@ -7706,31 +12842,73 @@ "description": "Someone edited a draft or published security advisory.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", + "repo_id", + "org_id", "business", - "org", - "repo", - "user", + "actor", + "user_agent", "created_at", + "_document_id", + "business_id", + "repo", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "@timestamp", + "request_id" ] }, { "action": "repository_branch_protection_evaluation.disable", "description": "Branch protections were disabled for the repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_branch_protection_evaluation.enable", "description": "Branch protections were enabled for this repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { @@ -7738,19 +12916,26 @@ "description": "Code security was disabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "request_access_security_header", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { @@ -7758,37 +12943,95 @@ "description": "Code security was enabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "request_access_security_header", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { "action": "repository_content_analysis.disable", "description": "Data use settings were disabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "user", + "repo_id", + "request_id", + "actor_id", + "created_at", + "user_agent", + "action", + "operation_type", + "actor", + "repo", + "user_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_content_analysis.enable", "description": "Data use settings were enabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "user", + "org", + "user_id", + "repo_id", + "@timestamp", + "request_id", + "actor", + "action", + "operation_type", + "created_at", + "actor_id", + "repo", + "user_agent", + "org_id", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_dependency_graph.disable", "description": "The dependency graph was disabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-fea tures-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "repo_id", + "operation_type", + "user_id", + "repo", + "_document_id", + "actor", + "user", + "action", + "@timestamp", + "org_id", + "actor_id", + "org", + "created_at", + "user_agent", + "request_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-fea, tures-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { @@ -7796,19 +13039,25 @@ "description": "The dependency graph was enabled for a private repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", + "request_id", + "user", "org", + "org_id", + "action", "repo", - "user", + "user_id", "created_at", + "user_agent", + "actor_id", + "repo_id", "operation_type", + "actor", + "@timestamp", + "_document_id", + "public_repo", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -7816,19 +13065,21 @@ "description": "An image to represent a repository was uploaded.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", "action", + "request_id", "actor", - "actor_id", - "business", - "org", + "content_type", "repo", + "@timestamp", + "_document_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "request_access_security_header" ] }, { @@ -7836,19 +13087,21 @@ "description": "An image to represent a repository was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "repo_id", + "user_agent", "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "@timestamp", + "request_access_security_header" ] }, { @@ -7856,19 +13109,21 @@ "description": "An invitation to join a repository was accepted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "request_id", + "repo", + "invitee", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" ] }, { @@ -7876,19 +13131,20 @@ "description": "An invitation to join a repository was canceled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "inviter", "action", - "actor", - "actor_id", - "business", - "org", + "operation_type", + "_document_id", + "repo_id", "repo", - "user", + "@timestamp", + "user_agent", + "invitee", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "actor", + "actor_id", + "request_access_security_header" ] }, { @@ -7896,19 +13152,21 @@ "description": "An invitation to join a repository was sent.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", "repo", - "user", "created_at", + "user_agent", + "repo_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "programmatic_access_type" ] }, { @@ -7916,37 +13174,82 @@ "description": "An invitation to join a repository was declined.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "repo", "_document_id", - "action", "actor", + "invitee", + "action", + "@timestamp", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "inviter", + "user_agent", + "repo_id" ] }, { "action": "repository_limit.reached", "description": "An organization has reached their repository limit.", "docs_reference_links": "repositories/creating-and-managing-repositories/repository-limits", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "limit", + "count", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "repositories/creating-and-managing-repositories/repository-limits" }, { "action": "repository_limit.warning", "description": "An organization is approaching their repository limit.", "docs_reference_links": "repositories/creating-and-managing-repositories/repository-limits", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "limit", + "count", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "repositories/creating-and-managing-repositories/repository-limits" }, { "action": "repository_projects_change.clear", "description": "The repository projects policy was removed for an organization, or all organizations in the enterprise Organization owners can now control their repository projects settings.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise", + "fields": [ + "request_id", + "created_at", + "_document_id", + "action", + "user_agent", + "user", + "business_id", + "business", + "operation_type", + "actor", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { @@ -7954,19 +13257,20 @@ "description": "Repository projects were disabled for a repository, all repositories in an organization, or all organizations in an enterprise.", "docs_reference_links": "N/A", "fields": [ + "created_at", "@timestamp", - "_document_id", + "repo", "action", - "actor", + "operation_type", + "_document_id", "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "user_agent", + "repo_id", + "actor", + "request_id", + "programmatic_access_type" ] }, { @@ -7975,90 +13279,363 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", + "repo_id", "org", - "repo", + "request_id", "user", + "user_agent", "created_at", + "org_id", + "action", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "actor_id", + "repo" ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { "action": "repository_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning.disable", "description": "Secret scanning was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "public_repo", + "programmatic_access_type" + ], "docs_reference_titles": "About secret scanning" }, { @@ -8066,19 +13643,22 @@ "description": "Secret scanning was enabled for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "programmatic_access_type" ] }, { @@ -8086,19 +13666,24 @@ "description": "Generic secrets have been disabled at the repository level", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -8106,67 +13691,225 @@ "description": "Generic secrets have been enabled at the repository level", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { "action": "repository_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.disable", "description": "Secret scanning push protection was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.enable", "description": "Secret scanning push protection was enabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { @@ -8174,19 +13917,28 @@ "description": "A code security configuration was applied to a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -8194,19 +13946,27 @@ "description": "A code security configuration failed to attach to the repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_failure_reason", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -8214,19 +13974,28 @@ "description": "A code security configuration was removed from a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -8234,25 +14003,50 @@ "description": "A code security configuration was removed due to a change in repository or enterprise settings.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "repository_visibility_change.clear", "description": "The repository visibility change setting was cleared for an organization or enterprise.", "docs_reference_links": "/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-changes-to-repository-visibility", + "fields": [ + "created_at", + "_document_id", + "request_id", + "actor_id", + "business", + "action", + "operation_type", + "user", + "user_id", + "business_id", + "@timestamp", + "user_agent", + "actor", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization, Enforcing repository management policies in your enterprise" }, { @@ -8260,19 +14054,20 @@ "description": "The ability for enterprise members to update a repository's visibility was disabled. Members are unable to change repository visibilities in an organization, or all organizations in an enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user", + "org_id", + "created_at", + "user_agent", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "@timestamp", + "user_id", + "action", + "request_id", + "request_access_security_header" ] }, { @@ -8280,37 +14075,102 @@ "description": "The ability for enterprise members to update a repository's visibility was enabled. Members are able to change repository visibilities in an organization, or all organizations in an enterprise.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", + "operation_type", + "_document_id", + "@timestamp", + "user_agent", "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "org_id", + "action", + "actor_id", + "user_id", + "request_id" ] }, { "action": "repository_vulnerability_alert.auto_dismiss", "description": "A Dependabot alert was automatically dismissed because its metadata matches an enabled Dependabot rule.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "alert_id", + "alert_number", + "ghsa_id", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "request_access_security_header" + ], "docs_reference_titles": "About Dependabot auto-triage rules" }, { "action": "repository_vulnerability_alert.auto_reopen", "description": "A previously auto-dismissed Dependabot alert was automatically reopened because its metadata no longer matches an enabled Dependabot rule.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "alert_id", + "alert_number", + "ghsa_id", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "request_access_security_header" + ], "docs_reference_titles": "About Dependabot auto-triage rules" }, { "action": "repository_vulnerability_alert.create", "description": "GitHub created a Dependabot alert because the repository uses a vulnerable dependency.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", + "fields": [ + "operation_type", + "request_id", + "repo_id", + "@timestamp", + "user_agent", + "alert_id", + "action", + "repo", + "created_at", + "_document_id", + "token_scopes", + "alert_number", + "programmatic_access_type" + ], "docs_reference_titles": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts" }, { @@ -8318,19 +14178,26 @@ "description": "A Dependabot alert was manually dismissed.", "docs_reference_links": "N/A", "fields": [ + "repo_id", + "org_id", + "user_id", + "request_id", "@timestamp", + "operation_type", + "user_agent", + "alert_id", + "actor", + "repo", + "created_at", + "org", "_document_id", "action", - "actor", "actor_id", - "business", - "org", - "repo", + "dismiss_reason", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "dismiss_comment", + "alert_number", + "actor_is_bot" ] }, { @@ -8338,19 +14205,22 @@ "description": "A Dependabot alert was automatically reopened because the repository resumed use of a vulnerable dependency.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "alert_id", "created_at", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "_document_id", + "@timestamp", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "alert_number" ] }, { @@ -8358,19 +14228,26 @@ "description": "A Dependabot alert was manually reopened.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "alert_id", "created_at", + "action", + "repo", + "repo_id", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "public_repo", + "alert_number", + "request_access_security_header" ] }, { @@ -8378,19 +14255,21 @@ "description": "Changes were pushed to update and resolve a Dependabot alert in a project dependency.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "alert_id", + "repo", + "operation_type", "action", + "repo_id", + "_document_id", + "user_agent", + "request_id", + "@timestamp", + "created_at", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "alert_number", + "programmatic_access_type" ] }, { @@ -8398,25 +14277,44 @@ "description": "A Dependabot alert was withdrawn.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "alert_id", + "alert_number", + "ghsa_id", + "created_at", + "active", "action", - "actor", - "actor_id", - "business", - "org", + "repository_id", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "operation_type" ] }, { "action": "repository_vulnerability_alerts.authorized_users_teams", "description": "The list of people or teams authorized to receive Dependabot alerts for the repository was updated.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts", + "fields": [ + "org", + "_document_id", + "repo", + "org_id", + "operation_type", + "created_at", + "actor", + "action", + "@timestamp", + "user_agent", + "repo_id", + "request_id", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts" }, { @@ -8424,19 +14322,24 @@ "description": "Automatic dismissal of low-impact Dependabot alerts was disabled for the repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -8444,19 +14347,26 @@ "description": "Automatic dismissal of low-impact Dependabot alerts was enabled for the repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -8464,19 +14374,23 @@ "description": "Dependabot alerts was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "repo", + "request_id", + "repo_id", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", + "@timestamp", "created_at", + "actor", + "user_agent", + "org_id", + "user", + "org", + "_document_id", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "programmatic_access_type" ] }, { @@ -8484,73 +14398,235 @@ "description": "Dependabot alerts was enabled.", "docs_reference_links": "N/A", "fields": [ + "actor", + "user_agent", + "created_at", "@timestamp", - "_document_id", + "repo_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "repo", + "org", + "org_id", + "actor_id", + "_document_id", + "user_id", "operation_type", + "request_id", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "required_status_check.create", "description": "A status check was marked as required for a protected branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "fields": [ + "org", + "actor_id", + "@timestamp", + "business", + "request_id", + "context", + "repo_id", + "action", + "repo", + "_document_id", + "operation_type", + "business_id", + "org_id", + "actor", + "created_at", + "user_agent", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging" }, { "action": "required_status_check.destroy", "description": "A status check was no longer marked as required for a protected branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "fields": [ + "actor_id", + "actor", + "created_at", + "context", + "operation_type", + "@timestamp", + "request_id", + "org", + "user_agent", + "repo_id", + "org_id", + "action", + "_document_id", + "repo", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging" }, { "action": "restrict_notification_delivery.disable", "description": "Email notification restrictions for an organization or enterprise were disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "restrict_notification_delivery.enable", "description": "Email notification restrictions for an organization or enterprise were enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "role.create", "description": "A new custom repository role was created.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "owner", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "role_permissions", + "old_role_permissions" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "role.destroy", "description": "A custom repository role was deleted.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "role.update", "description": "A custom repository role was edited.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "old_role_permissions", + "old_base_role" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "secret_scanning_alert.create", "description": "GitHub detected a secret and created a secret scanning alert.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning_alert.public_leak", "description": "A secret scanning alert was leaked in a public repo.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "created_at" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { @@ -8558,25 +14634,45 @@ "description": "A secret scanning alert was reopened.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "number", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "secret_type_display_name" ] }, { "action": "secret_scanning_alert.report", "description": "A leaked secret was reported to the secret's provider by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "created_at", + "secret_type_display_name", + "secret_type_provider", + "report_result" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts" }, { @@ -8584,19 +14680,28 @@ "description": "A secret scanning alert was resolved.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "number", + "resolution", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_access_security_header" ] }, { @@ -8604,25 +14709,49 @@ "description": "A secret scanning alert was revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "number", "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { "action": "secret_scanning_alert.validate", "description": "A secret scanning alert was validated.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "previous_validity", + "current_validity", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { @@ -8630,31 +14759,85 @@ "description": "A request to close a secret scanning alert was approved by a user.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "request_reviewer_comment", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { "action": "secret_scanning_closure_request.cancel", "description": "N/A", "docs_reference_links": "A reqeust to close a secret scanning alert was canceled by a user.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "A, reqeust, to, close, a, secret, scanning, alert, was, canceled, by, a, user." }, { "action": "secret_scanning_closure_request.create", "description": "N/A", "docs_reference_links": "A user requested to close a secret scanning alert.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "reason", + "comment", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "A, user, requested, to, close, a, secret, scanning, alert." }, { @@ -8662,85 +14845,302 @@ "description": "A request to close a secret scanning alert was denied by a user.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "request_reviewer_comment", + "repo", + "repo_id", + "public_repo", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { "action": "secret_scanning.disable", "description": "Secret scanning was disabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning.enable", "description": "Secret scanning was enabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.disable", "description": "Secret scanning was disabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.enable", "description": "Secret scanning was enabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_push_protection.bypass", "description": "Triggered when a user bypasses the push protection on a secret detected by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#bypassing-push-protection-for-a-secret", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "push_protection_bypass_reason", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_reviewer", + "request_reviewer_id" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.approve", "description": "A request to bypass secret scanning push protection was approved by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.cancel", "description": "A user canceled a request to bypass secret scanning push protection.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "secret_scanning_push_protection_request.complete", "description": "A user pushed a commit containing a secret for which there is an approved secret scanning push protection bypass request.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "secret_scanning_push_protection_request.deny", "description": "A request to bypass secret scanning push protection was denied by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header", + "request_reviewer_comment" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.request", "description": "A user requested to bypass secret scanning push protection.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "secret_scanning_scan.completed", "description": "A secret scanning scan has completed on this repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "repo_id", + "org_id", + "business_id", + "source", + "type", + "source_slug", + "type_slug", + "started_at", + "completed_at", + "repo", + "public_repo", + "org", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "secret_types", + "custom_pattern_name", + "custom_pattern_scope" + ], "docs_reference_titles": "About secret scanning" }, { @@ -8748,19 +15148,42 @@ "description": "A security configuration was created", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" ] }, { @@ -8768,19 +15191,23 @@ "description": "A default security configuration setting for new repositories was removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { @@ -8788,19 +15215,23 @@ "description": "A default security configuration setting for new repositories was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { @@ -8808,19 +15239,41 @@ "description": "A security configuration was deleted", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" ] }, { @@ -8828,19 +15281,17 @@ "description": "A security configuration policy was updated", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "enforcement", + "security_configuration_name", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -8848,19 +15299,42 @@ "description": "A security configuration was updated", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" ] }, { @@ -8868,25 +15342,38 @@ "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { @@ -8894,73 +15381,185 @@ "description": "The fiscal host for a GitHub Sponsors listing was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "sponsors.invoiced_agreement_sign", "description": "An agreement for invoiced billing for GitHub Sponsors was signed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/paying-for-github-sponsors-by-invoice", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/paying-for-github-sponsors-by-invoice" }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { @@ -8968,25 +15567,36 @@ "description": "A GitHub Sponsors account was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "sponsors_listing_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { @@ -8995,42 +15605,96 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", - "_document_id", + "created_at", + "request_id", + "user", "action", + "user_agent", + "operation_type", + "_document_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id" ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { @@ -9038,19 +15702,20 @@ "description": "A GitHub Sponsors tier changed access for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -9058,19 +15723,18 @@ "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -9078,43 +15742,104 @@ "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "ssh_certificate_authority.create", "description": "An SSH certificate authority for an organization or enterprise was created.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "@timestamp", + "_document_id", + "fingerprint", + "operation_type", + "openssh_public_key", + "org_id", + "actor", + "created_at", + "org", + "action", + "user_agent", + "actor_id", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_authority.destroy", "description": "An SSH certificate authority for an organization or enterprise was deleted.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "created_at", + "_document_id", + "fingerprint", + "operation_type", + "actor", + "org_id", + "openssh_public_key", + "org", + "action", + "user_agent", + "actor_id", + "@timestamp", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.disable", "description": "The requirement for members to use SSH certificates to access an organization resources was disabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "user", + "user_agent", + "operation_type", + "_document_id", + "request_id", + "org", + "org_id", + "created_at", + "actor", + "action", + "user_id", + "business", + "business_id", + "@timestamp", + "actor_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.enable", "description": "The requirement for members to use SSH certificates to access an organization resources was enabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "actor_id", + "user_id", + "org", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user", + "action", + "org_id", + "created_at", + "user_agent" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { @@ -9122,19 +15847,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "public_repo" ] }, { @@ -9142,19 +15866,20 @@ "description": "The verification code expiry time for an organization or enterprise domain was set.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "owner_type", + "domain_name", + "business_id", + "token_expires_at", + "owner", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -9162,19 +15887,18 @@ "description": "An organization or enterprise domain was unverified.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "owner_type", + "domain_name", + "owner", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { @@ -9182,25 +15906,39 @@ "description": "An organization or enterprise domain was verified.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "domain_name", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "team.add_member", "description": "A member of an organization was added to a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team", + "fields": [ + "user_agent", + "request_id", + "org_id", + "user_id", + "team", + "user", + "@timestamp", + "actor_id", + "created_at", + "operation_type", + "_document_id", + "org", + "action", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team" }, { @@ -9208,31 +15946,65 @@ "description": "A team was given access and permissions to a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", + "team", + "action", + "operation_type", + "request_id", + "created_at", + "@timestamp", "org", "repo", - "user", - "created_at", - "operation_type", + "actor_id", + "_document_id", + "repo_id", + "user_agent", + "org_id", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "team.change_parent_team", "description": "A child team was created or a child team's parent was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy", + "fields": [ + "org", + "@timestamp", + "created_at", + "_document_id", + "team", + "action", + "operation_type", + "actor", + "request_id", + "actor_id", + "user_agent", + "org_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy" }, { "action": "team.change_privacy", "description": "A team's privacy level was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/changing-team-visibility", + "fields": [ + "user_agent", + "request_id", + "org", + "action", + "team", + "created_at", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "actor", + "_document_id" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility" }, { @@ -9240,25 +16012,44 @@ "description": "A new team is created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "request_id", "actor_id", - "business", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "org_id", + "user_agent", + "team", "org", - "repo", - "user", + "actor", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "token_scopes", + "programmatic_access_type" ] }, { "action": "team.demote_maintainer", "description": "A user was demoted from a team maintainer to a team member.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member" }, { @@ -9266,19 +16057,19 @@ "description": "A team was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "org", + "team", + "org_id", + "actor_id", + "actor", + "action", + "@timestamp", + "user_agent", + "request_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "programmatic_access_type" ] }, { @@ -9286,25 +16077,40 @@ "description": "An organization owner cleared the setting to allow team discussions for an organization or enterprise.", "docs_reference_links": "N/A", "fields": [ + "business_id", + "operation_type", "@timestamp", - "_document_id", - "action", + "user_agent", "actor", "actor_id", - "business", - "org", - "repo", "user", + "business", + "action", + "request_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "_document_id" ] }, { "action": "team_discussions.disable", "description": "Team discussions were disabled for an organization.", "docs_reference_links": "/organizations/organizing-members-into-teams/disabling-team-discussions-for-your-organization", + "fields": [ + "org_id", + "action", + "operation_type", + "request_id", + "actor", + "org", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "_document_id" + ], "docs_reference_titles": "Organizations and teams documentation" }, { @@ -9312,19 +16118,19 @@ "description": "Team discussions were enabled for an organization.", "docs_reference_links": "N/A", "fields": [ + "actor_id", "@timestamp", - "_document_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "_document_id", + "user_agent", + "user_id", + "business_id", + "request_id", "user", - "created_at", + "business", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "created_at" ] }, { @@ -9332,19 +16138,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "created_at", "actor", + "action", + "operation_type", + "team", + "@timestamp", "actor_id", - "business", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "org_id", + "user_agent", + "request_id", + "request_access_security_header" ] }, { @@ -9352,19 +16158,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "operation_type", "@timestamp", + "actor_id", "_document_id", + "team", + "created_at", + "org_id", "action", + "request_id", + "user_agent", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -9372,31 +16178,70 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "team", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "team.promote_maintainer", "description": "A user was promoted from a team member to a team maintainer.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer" }, { "action": "team.remove_member", "description": "An organization member was removed from a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team", + "fields": [ + "request_id", + "operation_type", + "created_at", + "actor_id", + "org", + "org_id", + "team", + "user_id", + "actor", + "user", + "action", + "@timestamp", + "user_agent", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team" }, { @@ -9404,19 +16249,21 @@ "description": "A repository was removed from a team's control.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "request_id", + "org_id", + "repo", + "repo_id", "action", + "_document_id", "actor", + "@timestamp", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", "created_at", + "team", + "org", "operation_type", - "programmatic_access_type", - "token_scopes" + "programmatic_access_type" ] }, { @@ -9424,31 +16271,61 @@ "description": "A team's name was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", + "name", + "user_agent", "created_at", + "team", "operation_type", + "actor_id", + "org", + "action", + "request_id", + "actor", + "org_id", + "@timestamp", + "_document_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "team_sync_tenant.disabled", "description": "Team synchronization with a tenant was disabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "action", + "created_at", + "actor", + "request_id", + "org_id", + "actor_id", + "operation_type", + "_document_id", + "@timestamp", + "org", + "user_agent" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team_sync_tenant.enabled", "description": "Team synchronization with a tenant was enabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "org_id", + "business_id", + "actor", + "created_at", + "user_agent", + "@timestamp", + "operation_type", + "business", + "actor_id", + "org", + "request_id", + "action", + "_document_id" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { @@ -9456,19 +16333,19 @@ "description": "The Okta credentials for team synchronization with a tenant were changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" ] }, { @@ -9476,19 +16353,28 @@ "description": "A team's permission to a repository was changed.", "docs_reference_links": "N/A", "fields": [ + "actor_id", + "team", + "org_id", "@timestamp", + "org", "_document_id", + "old_permission", + "request_id", + "repo", "action", + "repo_id", "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "user_agent", + "permission", + "new_repo_permission", + "new_repo_base_role", + "old_repo_permission", + "old_repo_base_role", + "token_scopes", + "programmatic_access_type" ] }, { @@ -9496,19 +16382,18 @@ "description": "A Dependabot rule was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -9516,19 +16401,18 @@ "description": "A Dependabot rule was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -9536,19 +16420,20 @@ "description": "A Dependabot rule was disabled for a single repository or disabled by default for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", "repo", - "user", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -9556,19 +16441,21 @@ "description": "A Dependabot rule was enabled for a single repository or enabled by default for an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", "repo", - "user", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -9576,19 +16463,21 @@ "description": "A Dependabot rule was enabled for an organization and cannot be disabled for its repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", "org", - "repo", - "user", + "org_id", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -9596,19 +16485,21 @@ "description": "A Dependabot rule was disabled for an organization and cannot be enabled for its repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", "org", - "repo", - "user", + "org_id", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -9616,25 +16507,47 @@ "description": "A Dependabot rule's conditions, actions, or metadata changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { @@ -9642,25 +16555,59 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "workflows.cancel_workflow_run", "description": "A workflow run was cancelled.", "docs_reference_links": "/actions/managing-workflow-runs/canceling-a-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "cancelled_at", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Canceling a workflow" }, { @@ -9668,37 +16615,122 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", + "workflow_run_id", + "run_number", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "workflows.completed_workflow_run", "description": "A workflow status changed to completed. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "completed_at", + "conclusion", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Viewing workflow run history" }, { "action": "workflows.created_workflow_run", "description": "A workflow run was create. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/learn-github-actions/understanding-github-actions#create-an-example-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Understanding GitHub Actions" }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { @@ -9706,19 +16738,22 @@ "description": "A workflow was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "workflow_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -9726,19 +16761,21 @@ "description": "A workflow was enabled, after previously being disabled by disable_workflow.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "workflow_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -9746,37 +16783,118 @@ "description": "A workflow was pinned.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { "action": "workflows.prepared_workflow_job", "description": "A workflow job was started. Includes the list of secrets that were provided to the job. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/using-workflows/events-that-trigger-workflows", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "business_id", + "business", + "workflow_run_id", + "job_name", + "runner_labels", + "is_hosted_runner", + "environment_name", + "secrets_passed", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp", + "runner_owner_type", + "job_workflow_ref", + "calling_workflow_refs", + "calling_workflow_shas", + "imposer_repo" + ], "docs_reference_titles": "Events that trigger workflows" }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.rerun_workflow_run", "description": "A workflow run was re-run.", "docs_reference_links": "/actions/managing-workflow-runs/re-running-workflows-and-jobs", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "rerun_type", + "check_run_id", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Re-running workflows and jobs" }, { @@ -9784,19 +16902,25 @@ "description": "A workflow was unpinned after previously being pinned.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/ghec/user.json b/src/audit-logs/data/ghec/user.json index fd1419921d57..1fd12e5753ec 100644 --- a/src/audit-logs/data/ghec/user.json +++ b/src/audit-logs/data/ghec/user.json @@ -4,25 +4,37 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "org", "@timestamp", + "operation_type", + "user_agent", "_document_id", + "created_at", "action", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id" ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { @@ -30,19 +42,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "actor_id", + "action", + "request_id", "@timestamp", + "user_agent", + "created_at", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "token_id", + "user_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "operation_type" ] }, { @@ -50,19 +61,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", + "created_at", + "token_id", + "user", + "request_id", + "_document_id", + "user_agent", "actor", + "user_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp" ] }, { @@ -70,19 +80,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "user", "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "actor", + "user_agent", + "request_id", + "action", + "_document_id", + "user_id", + "token_id" ] }, { @@ -90,19 +99,29 @@ "description": "A GitHub Actions cache was deleted using the REST API.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "oauth_application_id", + "user_id", "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -110,31 +129,58 @@ "description": "A workflow run artifact was manually deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", "actor", + "user_agent", "actor_id", - "business", - "org", "repo", - "user", + "repo_id", + "request_id", + "@timestamp", "created_at", + "_document_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "programmatic_access_type" ] }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { @@ -142,19 +188,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "oauth_application_id", "@timestamp", + "actor_id", + "operation_type", "_document_id", - "action", + "request_id", "actor", - "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "user_agent", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action" ] }, { @@ -162,19 +207,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" ] }, { @@ -182,19 +226,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -202,19 +244,26 @@ "description": "A CSV export was requested on the \"CodeQL pull request alerts\" page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", + "business_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -222,19 +271,24 @@ "description": "A CSV export was requested on the \"Coverage\" page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", + "business_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -242,19 +296,26 @@ "description": "A CSV export was requested on the \"Overview Dashboard\" page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", + "business_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -262,87 +323,215 @@ "description": "A CSV export was requested on the \"Risk\" page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", + "business_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { "action": "business.set_actions_fork_pr_approvals_policy", "description": "The policy for requiring approvals for workflows from public forks was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "limit", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_fork_pr_workflows_policy", "description": "The policy for fork pull request workflows was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", - "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" - }, - { - "action": "checks.delete_logs", - "description": "Logs in a check suite were deleted.", - "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", "repo", + "repo_id", "user", + "user_id", + "action", + "operation_type", + "@timestamp", "created_at", + "_document_id", + "public_repo" + ], + "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" + }, + { + "action": "checks.delete_logs", + "description": "Logs in a check suite were deleted.", + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "actor_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" ] }, { @@ -350,19 +539,16 @@ "description": "A codespace using custom permissions from its devcontainer.json file was launched.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "origin_repository", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -370,31 +556,79 @@ "description": "Credentials for a codespace were refreshed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "machine_type", + "devcontainer_path" ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { @@ -402,19 +636,18 @@ "description": "A codespace was exported to a branch on GitHub.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "public_repo" ] }, { @@ -422,19 +655,19 @@ "description": "A codespace was restored.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "owner", "repo", - "user", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -442,19 +675,27 @@ "description": "A codespace was started.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "name", "org", - "repo", + "owner", + "pull_request_id", + "machine_type", + "user_id", "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -462,25 +703,39 @@ "description": "A codespace was stopped.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "owner", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { @@ -488,25 +743,41 @@ "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { @@ -514,19 +785,24 @@ "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", + "token_id", + "token_scopes", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -534,19 +810,17 @@ "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -554,19 +828,20 @@ "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "request_access_security_header" ] }, { @@ -574,19 +849,19 @@ "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "seat_assignment", + "request_access_security_header" ] }, { @@ -594,19 +869,21 @@ "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "user_id", "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -614,19 +891,22 @@ "description": "Specific repositories were disabled from using Copilot coding agent.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "org_id", + "owner_type", "actor_id", - "business", - "org", + "owner", "repo", - "user", + "repo_id", + "public_repo", + "org", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id" ] }, { @@ -634,19 +914,23 @@ "description": "Specific repositories were enabled to use Copilot coding agent.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "request_access_security_header", + "org_id", + "owner_type", + "owner", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "repo_id", + "public_repo", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" ] }, { @@ -654,19 +938,22 @@ "description": "Copilot coding agent access was updated for the organization's or user's repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "request_access_security_header", + "new_access", + "old_access", + "org_id", + "owner_type", + "owner", "org", - "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -674,19 +961,23 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "runner_group_id", "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -694,19 +985,21 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -714,43 +1007,107 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "runner_group_id", "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { @@ -758,25 +1115,38 @@ "description": "The repositories that Dependabot can access were updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -784,25 +1154,40 @@ "description": "Dependabot security updates were enabled for all existing repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -810,25 +1195,40 @@ "description": "Dependabot security updates were enabled for all new repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -836,25 +1236,40 @@ "description": "The dependency graph was enabled for all existing repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id" ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { @@ -862,25 +1277,44 @@ "description": "The dependency graph was enabled for all new repositories.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "request_access_security_header" ] }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { @@ -888,73 +1322,259 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "environment_name", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", - "docs_reference_titles": "Store information in variables" - }, - { - "action": "environment.delete", - "description": "An environment was deleted.", - "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", - "docs_reference_titles": "Managing environments for deployment" - }, - { - "action": "environment.remove_actions_secret", - "description": "A secret was deleted for a GitHub Actions environment.", - "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Store information in variables" + }, + { + "action": "environment.delete", + "description": "An environment was deleted.", + "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Managing environments for deployment" + }, + { + "action": "environment.remove_actions_secret", + "description": "A secret was deleted for a GitHub Actions environment.", + "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { @@ -962,19 +1582,21 @@ "description": "A gist was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "request_id", + "user_id", "user", + "gist_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "actor", + "actor_id", + "visibility", + "action", + "_document_id", + "token_scopes", + "programmatic_access_type" ] }, { @@ -982,19 +1604,20 @@ "description": "A gist was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user_id", + "gist_id", + "visibility", + "created_at", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "request_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "actor_id", + "action", + "user_agent", + "@timestamp", + "programmatic_access_type" ] }, { @@ -1002,31 +1625,70 @@ "description": "The visibility of a gist was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", + "operation_type", + "@timestamp", + "user_agent", "actor", - "actor_id", - "business", - "org", - "repo", "user", + "gist_id", + "actor_id", + "request_id", + "visibility", + "user_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "token_scopes", + "programmatic_access_type" ] }, { "action": "git_signing_ssh_public_key.create", "description": "An SSH key was added to a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "git_signing_ssh_public_key.delete", "description": "An SSH key was removed from a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "explanation", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { @@ -1034,19 +1696,23 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -1054,19 +1720,21 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -1074,19 +1742,22 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", "business", - "org", - "repo", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -1094,19 +1765,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user_id", + "@timestamp", + "user", "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "actor", + "action", + "user_agent", + "request_access_security_header" ] }, { @@ -1114,19 +1784,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_id", + "operation_type", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "user_agent", + "@timestamp", + "request_access_security_header" ] }, { @@ -1134,19 +1803,25 @@ "description": "A hook's active status was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "programmatic_access_type" ] }, { @@ -1154,25 +1829,53 @@ "description": "A hook's configuration was changed.", "docs_reference_links": "N/A", "fields": [ + "actor_id", + "operation_type", "@timestamp", "_document_id", - "action", "actor", - "actor_id", - "business", + "name", "org", + "user_agent", + "request_id", + "hook_id", "repo", - "user", + "repo_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { @@ -1180,19 +1883,25 @@ "description": "A hook was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "events", "repo", - "user", "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" ] }, { @@ -1200,19 +1909,26 @@ "description": "A hook's configured events were changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "events", "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" ] }, { @@ -1220,19 +1936,22 @@ "description": "A GitHub App was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user", "action", + "operation_type", + "@timestamp", "actor", + "user_agent", "actor_id", - "business", - "org", - "repo", - "user", + "request_id", + "name", + "user_id", + "_document_id", + "integration", "created_at", - "operation_type", "programmatic_access_type", - "token_scopes" + "request_access_security_header", + "application_client_id" ] }, { @@ -1240,19 +1959,19 @@ "description": "A GitHub App was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "user_id", "actor_id", - "business", - "org", - "repo", + "request_id", + "@timestamp", + "name", + "integration", "user", - "created_at", + "_document_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "user_agent" ] }, { @@ -1260,73 +1979,234 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", + "name", + "integration", "business", - "org", - "repo", - "user", - "created_at", + "business_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header", + "application_client_id" ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { @@ -1334,19 +2214,20 @@ "description": "A client secret for a GitHub App was removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "integration", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" ] }, { @@ -1354,19 +2235,20 @@ "description": "All user tokens for a GitHub App were requested to be revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "integration", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "application_client_id" ] }, { @@ -1374,37 +2256,93 @@ "description": "Token(s) for a GitHub App were revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "name", + "integration", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "application_client_id" ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", - "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" - }, - { - "action": "integration.unsuspend", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], + "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" + }, + { + "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { @@ -1412,19 +2350,18 @@ "description": "The GitHub Marketplace Developer Agreement was signed.", "docs_reference_links": "N/A", "fields": [ + "request_id", + "actor", + "actor_id", "@timestamp", "_document_id", + "user_agent", + "operation_type", + "created_at", "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "request_access_security_header" ] }, { @@ -1432,19 +2369,21 @@ "description": "A listing was approved for inclusion in GitHub Marketplace.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "secondary_category", "actor", - "actor_id", - "business", - "org", - "repo", + "primary_category", "user", - "created_at", + "@timestamp", + "_document_id", + "user_id", + "user_agent", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" ] }, { @@ -1452,19 +2391,21 @@ "description": "A category for a listing for an app in GitHub Marketplace was changed.", "docs_reference_links": "N/A", "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", "@timestamp", - "_document_id", + "integration", + "org_id", "action", - "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "secondary_category", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "actor_id", + "_document_id" ] }, { @@ -1472,19 +2413,22 @@ "description": "A listing for an app in GitHub Marketplace was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "primary_category", "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp" ] }, { @@ -1492,19 +2436,21 @@ "description": "A listing was removed from GitHub Marketplace.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "org", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "request_id", + "org_id", "created_at", + "secondary_category", "operation_type", - "programmatic_access_type", - "token_scopes" + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" ] }, { @@ -1513,18 +2459,21 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "actor", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "marketplace_listing", + "has_free_trial", + "user_agent", + "request_id", + "actor_id", + "yearly_price_in_cents", + "description", + "bullets", + "monthly_price_in_cents", + "marketplace_listing_plan", + "_document_id" ] }, { @@ -1532,19 +2481,22 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "marketplace_listing_plan", + "marketplace_listing", + "description", + "bullets", + "has_free_trial", + "created_at", + "actor_id", + "operation_type", "_document_id", "action", + "user_agent", + "request_id", "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "monthly_price_in_cents", + "yearly_price_in_cents", + "@timestamp" ] }, { @@ -1552,19 +2504,22 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", - "repo", - "user", + "marketplace_listing_plan", + "_document_id", + "request_id", + "description", + "yearly_price_in_cents", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_id", + "bullets", + "has_free_trial", + "marketplace_listing", + "user_agent", + "monthly_price_in_cents", + "action", + "operation_type" ] }, { @@ -1572,19 +2527,22 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "monthly_price_in_cents", + "marketplace_listing", "_document_id", "action", - "actor", + "description", + "bullets", + "yearly_price_in_cents", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "has_free_trial", + "marketplace_listing_plan", + "user_agent", + "@timestamp", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "created_at" ] }, { @@ -1592,19 +2550,22 @@ "description": "A listing was sent back to draft state.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" ] }, { @@ -1612,19 +2573,22 @@ "description": "A listing was not accepted for inclusion in GitHub Marketplace.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -1632,19 +2596,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -1652,19 +2616,23 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -1672,19 +2640,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -1692,19 +2659,20 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", "repo", - "user", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -1712,19 +2680,14 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "user", "@timestamp", "_document_id", + "user_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_access_security_header" ] }, { @@ -1732,19 +2695,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" ] }, { @@ -1752,51 +2715,88 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", + "action", "org", - "repo", - "user", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" - ] - }, + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" + ] + }, { "action": "migration.create", "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "repo", + "org_id", "_document_id", + "org", + "repo_id", "action", "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { "action": "oauth_access.create", "description": "An OAuth access token was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, /authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token", + "fields": [ + "_document_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "user", + "user_id", + "created_at", + "action", + "actor_id", + "request_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, Managing your personal access tokens" }, { "action": "oauth_access.destroy", "description": "An OAuth access token was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps", + "fields": [ + "@timestamp", + "user_agent", + "action", + "operation_type", + "_document_id", + "actor", + "created_at", + "user", + "user_id", + "request_id", + "explanation", + "hashed_token", + "actor_id", + "token_scopes", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps" }, { @@ -1804,19 +2804,20 @@ "description": "An OAuth access token was regenerated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user", + "user_id", "_document_id", + "created_at", + "@timestamp", + "operation_type", "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", + "token_scopes", "programmatic_access_type", - "token_scopes" + "oauth_application_name" ] }, { @@ -1824,19 +2825,18 @@ "description": "An OAuth access token was revoked.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "request_id", + "request_access_security_header", + "hashed_token", + "token_id", + "token_scopes", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -1844,85 +2844,266 @@ "description": "An OAuth access token was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "request_id", + "actor_id", + "actor", + "operation_type", "_document_id", + "user_id", + "created_at", "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "@timestamp", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "request_access_security_header" ] }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.generate_client_secret", "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_authorization.create", "description": "An authorization for an OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "operation_type", + "user_agent", + "user_id", + "actor", + "org_id", + "_document_id", + "request_id", + "action", + "@timestamp", + "created_at", + "actor_id", + "user", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_authorization.destroy", "description": "An authorization for an OAuth application was deleted.", "docs_reference_links": "/apps/using-github-apps/reviewing-your-authorized-integrations", + "fields": [ + "user_agent", + "_document_id", + "request_id", + "operation_type", + "@timestamp", + "actor", + "created_at", + "explanation", + "user", + "user_id", + "org_id", + "action", + "actor_id", + "token_scopes", + "actor_is_bot", + "oauth_application_name" + ], "docs_reference_titles": "Reviewing and revoking authorization of GitHub Apps" }, { "action": "oauth_authorization.update", "description": "An authorization for an OAuth application was updated.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "org_id", + "request_id", + "user_id", + "actor", + "actor_id", + "user_agent", + "@timestamp", + "operation_type", + "action", + "user", + "created_at", + "_document_id", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { @@ -1930,19 +3111,22 @@ "description": "A user joined an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "permission", "_document_id", - "action", - "actor", - "actor_id", - "business", "org", - "repo", + "operation_type", + "request_id", + "actor", "user", + "@timestamp", "created_at", - "operation_type", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", "programmatic_access_type", - "token_scopes" + "actor_is_bot" ] }, { @@ -1950,19 +3134,24 @@ "description": "An outside collaborator was added to a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "inviter", "org", + "org_id", "repo", - "user", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -1970,18 +3159,19 @@ "description": "GitHub Advanced Security was disabled for new repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", "token_scopes" ] }, @@ -1990,18 +3180,21 @@ "description": "GitHub Advanced Security was disabled for all repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", "token_scopes" ] }, @@ -2010,38 +3203,42 @@ "description": "GitHub Advanced Security was enabled for new repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" - ] - }, + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] + }, { "action": "org.advanced_security_enabled_on_all_repos", "description": "GitHub Advanced Security was enabled for all repositories in an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", "token_scopes" ] }, @@ -2050,19 +3247,21 @@ "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", - "action", - "actor", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", "created_at", + "user", "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id", + "org", + "token_scopes", + "programmatic_access_type" ] }, { @@ -2070,19 +3269,27 @@ "description": "A CSV export was requested on the CodeQL pull request alerts page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot" ] }, { @@ -2090,19 +3297,26 @@ "description": "A CSV export was requested on the Coverage page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -2110,19 +3324,28 @@ "description": "A CSV export was requested on the Overview Dashboard page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { @@ -2130,55 +3353,148 @@ "description": "A CSV export was requested on the Risk page.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", "org", - "repo", + "org_id", "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { @@ -2187,18 +3503,20 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", + "org_id", + "created_at", "_document_id", + "user", + "user_id", "action", - "actor", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "old_permission", + "permission", + "actor", + "user_agent", "operation_type", - "programmatic_access_type", - "token_scopes" + "org" ] }, { @@ -2206,43 +3524,106 @@ "description": "The create repository permission for organization members was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "action", + "@timestamp", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", + "permission", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { @@ -2250,19 +3631,19 @@ "description": "A new passkey was added.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "nickname", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2270,19 +3651,19 @@ "description": "A new passkey was removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "nickname", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2290,19 +3671,18 @@ "description": "A new payment method was added, such as a new credit card or PayPal account.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", "_document_id", "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2310,19 +3690,16 @@ "description": "A payment method was removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "_document_id", + "request_access_security_header" ] }, { @@ -2330,31 +3707,62 @@ "description": "An existing payment method was updated.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", "@timestamp", - "_document_id", "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "_document_id", + "request_access_security_header" ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { @@ -2362,19 +3770,19 @@ "description": "Triggered when you create a fine-grained personal access token.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "user_programmatic_access_name", "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2382,25 +3790,35 @@ "description": "Triggered when you regenerate a fine-grained personal access token.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "user_programmatic_access_name", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "personal_access_token.credential_revoked", "description": "A fine-grained personal access token was revoked by GitHub Advanced Security.", "docs_reference_links": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users", + "fields": [ + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users" }, { @@ -2408,19 +3826,20 @@ "description": "Triggered when you delete a fine-grained personal access token.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", + "user_programmatic_access_name", "user", + "user_id", + "explanation", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2428,37 +3847,86 @@ "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "user_programmatic_access_name", "org", - "repo", - "user", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_programmatic_access_request_id" ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.update", "description": "A fine-grained personal access token was updated.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens" }, { @@ -2466,19 +3934,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2486,19 +3952,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2506,19 +3972,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2526,19 +3990,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2546,19 +4010,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2566,19 +4030,19 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -2586,25 +4050,39 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { @@ -2612,25 +4090,40 @@ "description": "A project board visibility was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", + "actor", + "user_agent", + "operation_type", "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { @@ -2638,19 +4131,25 @@ "description": "A collaborator was added to a project.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", + "user_agent", + "request_id", + "collaborator_type", "org", - "repo", - "user", + "org_id", + "collaborator", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "public_project", + "project_name", + "project_role", + "old_project_role", + "request_access_security_header" ] }, { @@ -2658,19 +4157,20 @@ "description": "A collaborator was removed from a project.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "collaborator_type", "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2678,19 +4178,25 @@ "description": "A project collaborator's permission level was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "public_project", + "project_name", + "collaborator_type", + "project_role", + "old_project_role", + "project_id", "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -2698,19 +4204,17 @@ "description": "A project board was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "operation_type", "user", + "_document_id", + "request_id", + "user_id", + "user_agent", + "@timestamp", + "actor_id", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "actor" ] }, { @@ -2718,31 +4222,57 @@ "description": "A project board was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "request_id", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { @@ -2750,25 +4280,41 @@ "description": "A repository was linked to a project board.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "repo_id", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "org_id", + "user_agent", + "request_id", + "actor", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { @@ -2776,19 +4322,22 @@ "description": "A project board was renamed.", "docs_reference_links": "N/A", "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", "@timestamp", + "repo", "_document_id", - "action", + "user_agent", + "org_id", + "business_id", "actor", - "actor_id", - "business", + "repo_id", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "business" ] }, { @@ -2796,19 +4345,19 @@ "description": "A repository was unlinked from a project board.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "repo", + "repo_id", + "operation_type", "actor", + "action", + "created_at", "actor_id", - "business", + "_document_id", + "request_id", + "@timestamp", + "user_agent", "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org_id" ] }, { @@ -2816,19 +4365,17 @@ "description": "The project's base-level permission for all organization members was changed or removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", "org", - "repo", - "user", - "created_at", + "@timestamp", + "_document_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" ] }, { @@ -2836,19 +4383,18 @@ "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "org_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" ] }, { @@ -2856,31 +4402,60 @@ "description": "A user was added to or removed from a project board or had their permission level changed.", "docs_reference_links": "N/A", "fields": [ + "request_id", + "user_id", + "operation_type", "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_agent", + "actor", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { @@ -2888,19 +4463,20 @@ "description": "A project's visibility was changed from public to private.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "project_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "project_kind", + "project_name" ] }, { @@ -2908,109 +4484,391 @@ "description": "A project's visibility was changed from private to public.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", + "project_id", "org", - "repo", - "user", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "project_kind", + "project_name", + "request_access_security_header" ] }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", - "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" - }, - { - "action": "public_key.verify", - "description": "A user account's SSH key or a repository's deploy key was verified.", - "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], + "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" + }, + { + "action": "public_key.verify", + "description": "A user account's SSH key or a repository's deploy key was verified.", + "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { @@ -3018,84 +4876,190 @@ "description": "Pull request merge options were changed for a repository.", "docs_reference_links": "N/A", "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", "@timestamp", "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "action", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "token_scopes", + "programmatic_access_type", + "actor_is_bot" ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { @@ -3103,54 +5067,108 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", + "oauth_application_id", + "token_id", + "token_scopes", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", - "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" - }, - { - "action": "repo.create_actions_secret", - "description": "A GitHub Actions secret was created for a repository.", - "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", - "docs_reference_titles": "Using secrets in GitHub Actions" - }, - { - "action": "repo.create_actions_variable", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], + "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" + }, + { + "action": "repo.create_actions_secret", + "description": "A GitHub Actions secret was created for a repository.", + "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], + "docs_reference_titles": "Using secrets in GitHub Actions" + }, + { + "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -3158,42 +5176,51 @@ "description": "A Codespaces or Dependabot secret was created for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "key", + "visibility", + "integration", "repo", - "user", - "created_at", + "repo_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "@timestamp", + "created_at", + "_document_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "programmatic_access_type", + "request_access_security_header" ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { @@ -3201,36 +5228,23 @@ "description": "A GitHub Pages custom domain was modified in a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "@timestamp", + "visibility", "repo", + "repo_id", "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", "created_at", + "_document_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "old_cname", + "programmatic_access_type" ] }, { @@ -3238,36 +5252,21 @@ "description": "A GitHub Pages site was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "actor_id", + "user", "_document_id", + "user_id", + "visibility", "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", "actor", - "actor_id", - "business", - "org", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "programmatic_access_type" ] }, { @@ -3275,36 +5274,21 @@ "description": "A GitHub Pages site was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "created_at", + "user_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "request_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "operation_type", + "repo_id", + "programmatic_access_type" ] }, { @@ -3312,36 +5296,22 @@ "description": "HTTPS redirects were disabled for a GitHub Pages site.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user", + "actor_id", + "repo_id", "_document_id", - "action", + "user_agent", "actor", - "actor_id", - "business", - "org", + "visibility", + "user_id", + "request_id", "repo", - "user", - "created_at", + "@timestamp", "operation_type", + "action", + "created_at", "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -3349,36 +5319,21 @@ "description": "HTTPS redirects were enabled for a GitHub Pages site.", "docs_reference_links": "N/A", "fields": [ + "request_id", "@timestamp", - "_document_id", - "action", + "user_agent", + "user_id", + "created_at", + "visibility", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" ] }, { @@ -3386,110 +5341,62 @@ "description": "A GitHub Pages site visibility was changed to private.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" - ] - }, - { - "action": "repo.pages_public", - "description": "A GitHub Pages site visibility was changed to public.", - "docs_reference_links": "N/A", - "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" ] }, { - "action": "repo.pages_soft_delete", - "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", + "action": "repo.pages_public", + "description": "A GitHub Pages site visibility was changed to public.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", + "request_access_security_header" + ] + }, + { + "action": "repo.pages_soft_delete", + "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", + "docs_reference_links": "N/A", + "fields": [ "visibility", + "repo", + "repo_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" ] }, { @@ -3497,36 +5404,22 @@ "description": "A GitHub Pages site that was previously soft-deleted was restored.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "visibility", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -3534,54 +5427,91 @@ "description": "A GitHub Pages source was modified.", "docs_reference_links": "N/A", "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", "@timestamp", + "repo_id", + "user", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", + "request_id", + "visibility", "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "action", + "programmatic_access_type" ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -3589,48 +5519,74 @@ "description": "A Codespaces or Dependabot secret was deleted for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "key", + "integration", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "@timestamp", + "created_at", + "_document_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { @@ -3638,42 +5594,49 @@ "description": "A topic was removed from a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user", "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", "actor", - "actor_id", "business", - "org", + "request_id", "repo", - "user", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { @@ -3681,72 +5644,163 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "repo", "action", - "actor", + "_document_id", "actor_id", - "business", - "org", - "repo", "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" ] }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { @@ -3756,46 +5810,66 @@ "fields": [ "@timestamp", "_document_id", - "action", - "actor", + "user_agent", "actor_id", - "business", + "created_at", + "actor", + "repo_id", + "action", "org", + "org_id", + "request_id", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "operation_type" ] }, { "action": "repo.temporary_access_granted", "description": "Temporary access was enabled for a repository.", "docs_reference_links": "/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing user-owned repositories in your enterprise" }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { @@ -3803,36 +5877,23 @@ "description": "A repository was transferred to another repository network.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { @@ -3842,40 +5903,42 @@ "fields": [ "@timestamp", "_document_id", + "operation_type", + "user_id", + "request_id", + "user", "action", + "user_agent", + "created_at", "actor", + "visibility", + "repo_id", "actor_id", - "business", - "org", "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "request_access_security_header" ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { @@ -3883,42 +5946,51 @@ "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", + "policy", + "old_policy", "repo", - "user", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "business", + "business_id" ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { @@ -3926,42 +5998,52 @@ "description": "A repository administrator changed GitHub Actions policy settings for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "actor_is_bot" ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { @@ -3969,36 +6051,23 @@ "description": "The default branch for a repository was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "visibility", "repo", + "repo_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", + "@timestamp", + "created_at", + "_document_id", "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", - "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "programmatic_access_type", + "actor_is_bot" ] }, { @@ -4006,36 +6075,26 @@ "description": "A Codespaces or Dependabot secret was updated for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", + "key", + "visibility", + "integration", "repo", - "user", - "created_at", + "repo_id", + "org", + "org_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", - "oauth_application_id", - "permission", - "visibility", + "@timestamp", + "created_at", + "_document_id", "public_repo", - "key", - "name", - "owner", - "old_permission", - "new_permission" + "token_scopes", + "programmatic_access_type", + "request_access_security_header" ] }, { @@ -4043,36 +6102,32 @@ "description": "A user's permission to a repository was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", "action", + "_document_id", "actor", - "actor_id", - "business", - "org", - "repo", - "user", + "repo_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes", - "pull_request_id", - "pull_request_url", - "pull_request_title", - "branch", - "head_sha", - "head_branch", - "message", - "fingerprint", "oauth_application_id", - "permission", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", "visibility", - "public_repo", - "key", - "name", - "owner", "old_permission", - "new_permission" + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" ] }, { @@ -4080,19 +6135,21 @@ "description": "An image to represent a repository was uploaded.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", "action", + "request_id", "actor", - "actor_id", - "business", - "org", + "content_type", "repo", + "@timestamp", + "_document_id", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "request_access_security_header" ] }, { @@ -4100,19 +6157,21 @@ "description": "An image to represent a repository was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", "_document_id", - "action", "actor", - "actor_id", - "business", - "org", + "repo_id", + "user_agent", "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "@timestamp", + "request_access_security_header" ] }, { @@ -4120,19 +6179,21 @@ "description": "An invitation to join a repository was accepted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "request_id", + "repo", + "invitee", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" ] }, { @@ -4140,19 +6201,20 @@ "description": "An invitation to join a repository was canceled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "inviter", "action", - "actor", - "actor_id", - "business", - "org", + "operation_type", + "_document_id", + "repo_id", "repo", - "user", + "@timestamp", + "user_agent", + "invitee", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "actor", + "actor_id", + "request_access_security_header" ] }, { @@ -4160,19 +6222,21 @@ "description": "An invitation to join a repository was sent.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", "repo", - "user", "created_at", + "user_agent", + "repo_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "token_scopes", + "programmatic_access_type" ] }, { @@ -4180,37 +6244,123 @@ "description": "An invitation to join a repository was declined.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "repo", "_document_id", - "action", "actor", + "invitee", + "action", + "@timestamp", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "inviter", + "user_agent", + "repo_id" ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { @@ -4218,19 +6368,18 @@ "description": "A security key was registered for an account.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", "user", "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "@timestamp", + "_document_id", + "actor", + "user_agent", + "request_access_security_header" ] }, { @@ -4238,19 +6387,18 @@ "description": "A security key was removed from an account.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", + "user_id", + "operation_type", + "_document_id", + "user_agent", + "@timestamp", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user", + "request_access_security_header" ] }, { @@ -4258,25 +6406,38 @@ "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { @@ -4284,67 +6445,166 @@ "description": "The fiscal host for a GitHub Sponsors listing was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", "org", - "repo", - "user", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { @@ -4352,25 +6612,36 @@ "description": "A GitHub Sponsors account was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "sponsors_listing_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { @@ -4379,48 +6650,115 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", - "_document_id", + "created_at", + "request_id", + "user", "action", + "user_agent", + "operation_type", + "_document_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id" ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsored_developer_update_newsletter_send", "description": "Triggered when you send an email update to your sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors", + "fields": [ + "request_id", + "actor", + "action", + "user_agent", + "operation_type", + "_document_id", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { @@ -4428,19 +6766,20 @@ "description": "A GitHub Sponsors tier changed access for a repository.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { @@ -4448,25 +6787,37 @@ "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "sponsors.waitlist_join", "description": "You join the waitlist to join GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "request_id", + "actor", + "user_id", + "user_agent", + "actor_id", + "action", + "operation_type", + "created_at", + "user", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { @@ -4474,43 +6825,86 @@ "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "successor_invitation.accept", "description": "Triggered when you accept a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.cancel", "description": "Triggered when you cancel a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.create", "description": "Triggered when you create a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.decline", "description": "Triggered when you decline a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { @@ -4518,25 +6912,32 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { "action": "successor_invitation.revoke", "description": "Triggered when you revoke a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { @@ -4544,19 +6945,17 @@ "description": "A new trusted device was added.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "actor", + "actor_id", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -4564,19 +6963,17 @@ "description": "A trusted device was removed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -4584,19 +6981,15 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "created_at", + "action", + "request_id", + "user_id", "@timestamp", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "operation_type" ] }, { @@ -4604,19 +6997,15 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "request_id", "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "user", + "_document_id", + "user_agent", + "action" ] }, { @@ -4624,19 +7013,13 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "user", + "action" ] }, { @@ -4644,19 +7027,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "created_at", "actor", "actor_id", - "business", - "org", - "repo", + "@timestamp", + "request_id", "user", - "created_at", + "user_id", + "user_agent", "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "_document_id" ] }, { @@ -4664,19 +7045,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_id", "actor", - "actor_id", - "business", - "org", - "repo", + "action", + "@timestamp", + "user_agent", + "operation_type", "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "actor_id", + "_document_id" ] }, { @@ -4684,19 +7063,16 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "user_agent", + "request_id", + "created_at", + "user_id", + "action", + "_document_id", + "request_access_security_header" ] }, { @@ -4704,37 +7080,75 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "operation_type", + "user_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "user", + "_document_id", + "request_id" ] }, { "action": "two_factor_authentication.add_factor", "description": "A secondary authentication factor was added to a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.disabled", "description": "Two-factor authentication was disabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/disabling-two-factor-authentication-for-your-personal-account", + "fields": [ + "actor", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "actor_id", + "created_at", + "operation_type", + "request_id", + "@timestamp", + "request_access_security_header" + ], "docs_reference_titles": "Disabling two-factor authentication for your personal account" }, { "action": "two_factor_authentication.enabled", "description": "Two-factor authentication was enabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "operation_type", + "user_agent", + "action", + "created_at", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Configuring two-factor authentication" }, { @@ -4742,19 +7156,15 @@ "description": "A one-time password code was sent to a user account fallback phone number.", "docs_reference_links": "N/A", "fields": [ + "operation_type", + "created_at", + "user", + "user_id", + "action", "@timestamp", + "request_id", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent" ] }, { @@ -4762,25 +7172,37 @@ "description": "Two factor recovery codes were regenerated for a user account.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "request_id", + "actor", + "operation_type", "_document_id", + "user_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "actor_id", + "@timestamp", + "created_at" ] }, { "action": "two_factor_authentication.remove_factor", "description": "A secondary authentication factor was removed from a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { @@ -4788,19 +7210,15 @@ "description": "A one-time password code was sent to a user account fallback phone number.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "request_id", + "operation_type", + "user_id", "user", + "user_agent", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "action", + "@timestamp" ] }, { @@ -4809,24 +7227,37 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", + "created_at", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "action", + "request_id", + "actor", + "actor_id" ] }, { "action": "user.add_email", "description": "An email address was added to a user account.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account", + "fields": [ + "action", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "_document_id", + "actor_id", + "actor", + "email", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account" }, { @@ -4834,19 +7265,18 @@ "description": "An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.", "docs_reference_links": "N/A", "fields": [ + "actor", + "user_id", + "created_at", + "user", "@timestamp", "_document_id", - "action", - "actor", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "action", + "request_access_security_header" ] }, { @@ -4854,19 +7284,17 @@ "description": "Audit log entries were exported.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "action", + "request_id", + "actor", + "@timestamp", + "_document_id", + "user_agent", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at" ] }, { @@ -4874,19 +7302,20 @@ "description": "A user was blocked by another user.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", "action", "actor", + "user_id", + "_document_id", "actor_id", - "business", - "org", - "repo", + "@timestamp", + "user_agent", "user", - "created_at", + "request_id", + "blocked_user", "operation_type", + "created_at", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -4894,31 +7323,57 @@ "description": "A user changed their password.", "docs_reference_links": "N/A", "fields": [ + "request_id", "@timestamp", - "_document_id", - "action", - "actor", + "user_agent", "actor_id", - "business", - "org", - "repo", + "operation_type", + "actor", "user", + "user_id", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "request_access_security_header" ] }, { "action": "user.codespaces_trusted_repo_access_granted", "description": "Triggered when you allow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.codespaces_trusted_repo_access_revoked", "description": "Triggered when you disallow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { @@ -4926,19 +7381,19 @@ "description": "A new user account was created.", "docs_reference_links": "N/A", "fields": [ + "email", + "user_id", + "operation_type", "@timestamp", + "request_id", + "user", + "created_at", "_document_id", - "action", + "user_agent", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "action", + "programmatic_access_type" ] }, { @@ -4946,19 +7401,21 @@ "description": "A user secret for Codespaces was created.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "key", + "visibility", + "integration", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -4966,19 +7423,20 @@ "description": "The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "user", + "created_at", + "user_agent", "_document_id", + "operation_type", + "oauth_application_id", "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id", + "user_id", + "@timestamp", + "token_scopes", + "programmatic_access_type" ] }, { @@ -4986,19 +7444,18 @@ "description": "A user account was destroyed by an asynchronous job.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "operation_type", + "created_at", + "user_agent", "action", + "request_id", + "user_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "request_access_security_header" ] }, { @@ -5007,18 +7464,19 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", - "_document_id", + "oauth_application_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", "created_at", + "user_agent", + "request_id", + "actor", + "actor_id", "operation_type", + "_document_id", + "user_id", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5026,19 +7484,18 @@ "description": "A user deleted his or her account, triggering user.async_delete.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "request_id", "actor", - "actor_id", - "business", - "org", - "repo", "user", + "_document_id", "created_at", + "user_agent", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_id", + "action", + "@timestamp", + "request_access_security_header" ] }, { @@ -5046,19 +7503,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "request_id", "actor", - "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "_document_id", + "@timestamp", + "user", + "user_agent", + "user_id", + "actor_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5066,19 +7522,18 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "user_id", "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "_document_id", + "@timestamp", + "user", + "actor_id", + "action", + "request_access_security_header" ] }, { @@ -5087,18 +7542,17 @@ "docs_reference_links": "N/A", "fields": [ "@timestamp", + "user", "_document_id", "action", + "operation_type", + "user_agent", + "created_at", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_id", + "request_access_security_header" ] }, { @@ -5106,19 +7560,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -5126,19 +7578,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -5146,19 +7596,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -5166,25 +7614,44 @@ "description": "An enterprise managed user claimed an email address.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" ] }, { "action": "user_email.mark_as_unclaimed", "description": "N/A", "docs_reference_links": "An enterprise managed user unclaimed an email address.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "An, GitHub Help Documentation, managed, user, unclaimed, an, email, address." }, { @@ -5192,19 +7659,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -5212,19 +7677,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -5232,19 +7695,17 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "created_at", + "_document_id" ] }, { @@ -5252,25 +7713,37 @@ "description": "A user tried to sign in with an incorrect username, password, or two-factor authentication code.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_id", "action", + "operation_type", + "request_id", + "created_at", + "_document_id", + "@timestamp", + "user", + "org_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent" ] }, { "action": "user.forgot_password", "description": "A user requested a password reset.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials", + "fields": [ + "action", + "_document_id", + "user_agent", + "request_id", + "user", + "operation_type", + "@timestamp", + "email", + "created_at", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials" }, { @@ -5278,25 +7751,37 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "actor_id", + "action", + "created_at", + "user_agent", "@timestamp", "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "actor", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_id" ] }, { "action": "user.hide_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { @@ -5304,19 +7789,19 @@ "description": "A user signed in.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "user_agent", + "user_id", "actor_id", - "business", - "org", - "repo", + "@timestamp", "user", - "created_at", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "_document_id", + "request_id", + "created_at", + "actor", + "passkey_nickname", + "request_access_security_header" ] }, { @@ -5324,19 +7809,18 @@ "description": "A user signed out.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5344,19 +7828,18 @@ "description": "A user signed in from a new device.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", "user", - "created_at", + "user_id", + "actor", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "user_agent", + "actor_id", + "action", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" ] }, { @@ -5364,19 +7847,21 @@ "description": "An ordinary user account was promoted to a site administrator.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_id", "action", "actor", "actor_id", - "business", - "org", - "repo", "user", + "@timestamp", "created_at", + "user_agent", + "oauth_application_id", + "request_id", "operation_type", + "_document_id", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5384,19 +7869,17 @@ "description": "A user's account was restored.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_agent", + "user", "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", + "@timestamp", + "_document_id", + "request_id", + "user_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "actor", + "operation_type" ] }, { @@ -5404,19 +7887,20 @@ "description": "An email address was removed from a user account.", "docs_reference_links": "N/A", "fields": [ + "user_agent", + "action", "@timestamp", "_document_id", - "action", + "request_id", + "user", + "user_id", + "operation_type", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "email", + "token_scopes", + "programmatic_access_type" ] }, { @@ -5424,19 +7908,20 @@ "description": "A user secret for Codespaces was deleted.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "key", + "integration", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5444,19 +7929,20 @@ "description": "A username was changed.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user", "action", - "actor", + "request_id", "actor_id", - "business", - "org", - "repo", - "user", + "old_login", "created_at", + "_document_id", + "actor", + "user_id", + "@timestamp", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "token_scopes", + "programmatic_access_type" ] }, { @@ -5464,19 +7950,18 @@ "description": "A user reset their account password.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", + "action", + "user_agent", "user", + "request_id", + "user_id", "created_at", + "@timestamp", + "_document_id", + "actor", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5484,25 +7969,37 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "created_at", + "request_id", + "user_id", + "action", "@timestamp", "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "operation_type" ] }, { "action": "user.show_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "@timestamp", + "_document_id", + "request_id", + "user_id", + "action", + "actor", + "user", + "operation_type", + "user_agent", + "actor_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { @@ -5510,19 +8007,18 @@ "description": "A user signed in from an unrecognized device.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "request_id", "action", - "actor", - "actor_id", - "business", - "org", - "repo", + "_document_id", + "user_agent", "user", - "created_at", + "user_id", "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_access_security_header" ] }, { @@ -5530,19 +8026,18 @@ "description": "A user signed in from an unrecognized device and location.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", "user", + "user_id", + "@timestamp", + "user_agent", "created_at", + "_document_id", + "request_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5550,25 +8045,47 @@ "description": "Triggered when you clear the status on your profile.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", "org", - "repo", + "user_id", + "actor", + "message", "user", + "actor_id", "created_at", + "request_id", + "limited_availability", + "action", + "emoji", "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "@timestamp", + "_document_id", + "request_access_security_header" ] }, { "action": "user_status.update", "description": "Triggered when you set or change the status on your profile.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status", + "fields": [ + "limited_availability", + "user", + "action", + "actor_id", + "message", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "emoji", + "org", + "actor", + "operation_type", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status" }, { @@ -5576,19 +8093,21 @@ "description": "A user account was suspended.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "oauth_application_id", + "operation_type", "actor_id", - "business", - "org", - "repo", "user", + "user_agent", + "request_id", + "actor", "created_at", - "operation_type", + "_document_id", + "@timestamp", + "user_id", + "action", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5596,39 +8115,37 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ + "request_id", + "user", + "actor_id", "@timestamp", + "operation_type", "_document_id", - "action", + "user_agent", "actor", - "actor_id", - "business", - "org", - "repo", - "user", + "action", + "user_id", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { "action": "user.two_factor_challenge_failure", "description": "A 2FA challenge issued for a user account failed.", "docs_reference_links": "N/A", - "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", - "actor_id", - "business", - "org", - "repo", - "user", - "created_at", + "fields": [ "operation_type", - "programmatic_access_type", - "token_scopes" + "created_at", + "_document_id", + "user_agent", + "user", + "actor_id", + "actor", + "user_id", + "@timestamp", + "action", + "request_id", + "request_access_security_header" ] }, { @@ -5638,17 +8155,16 @@ "fields": [ "@timestamp", "_document_id", - "action", - "actor", + "user_id", + "operation_type", "actor_id", - "business", - "org", - "repo", "user", + "actor", + "user_agent", + "request_id", + "action", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5656,19 +8172,18 @@ "description": "A user used their 2FA recovery codes.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user_id", + "operation_type", + "user_agent", + "request_id", + "user", "action", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "request_access_security_header" ] }, { @@ -5676,19 +8191,18 @@ "description": "A user downloaded 2FA recovery codes for their account.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", + "user_id", + "operation_type", "actor_id", - "business", - "org", - "repo", "user", + "request_id", + "action", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "user_agent", + "actor", + "_document_id", + "request_access_security_header" ] }, { @@ -5696,19 +8210,17 @@ "description": "A user printed 2FA recovery codes for their account.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "user", "action", + "operation_type", + "user_agent", + "request_id", + "user_id", + "created_at", + "_document_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", - "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp" ] }, { @@ -5716,25 +8228,37 @@ "description": "A user viewed 2FA recovery codes for their account.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", - "actor", "actor_id", - "business", - "org", - "repo", - "user", + "user_agent", + "actor", + "user_id", + "action", "created_at", + "user", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "request_id", + "_document_id", + "request_access_security_header" ] }, { "action": "user.two_factor_requested", "description": "A user was prompted for a two-factor authentication code.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication", + "fields": [ + "user", + "actor_id", + "action", + "user_agent", + "request_id", + "created_at", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "actor" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication" }, { @@ -5742,19 +8266,19 @@ "description": "A user was unblocked by another user.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", + "actor_id", "action", + "request_id", + "_document_id", + "blocked_user", + "operation_type", "actor", - "actor_id", - "business", - "org", - "repo", + "@timestamp", + "user_agent", + "user_id", "user", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5762,19 +8286,21 @@ "description": "A user account was unsuspended.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", + "request_id", "_document_id", + "user", "action", + "user_agent", "actor", + "oauth_application_id", + "operation_type", "actor_id", - "business", - "org", - "repo", - "user", "created_at", - "operation_type", + "@timestamp", + "user_id", + "token_scopes", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5782,19 +8308,21 @@ "description": "A user secret for Codespaces was updated.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", - "repo", + "user_agent", + "request_id", + "key", + "visibility", + "integration", "user", + "user_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5802,25 +8330,47 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", - "repo", - "user", "created_at", + "user", + "user_id", + "action", "operation_type", - "programmatic_access_type", - "token_scopes" + "@timestamp", + "_document_id", + "request_access_security_header" ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { @@ -5828,19 +8378,23 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5848,25 +8402,50 @@ "description": "N/A", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", "actor", "actor_id", - "business", - "org", + "workflow_run_id", + "run_number", "repo", - "user", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", "created_at", - "operation_type", - "programmatic_access_type", - "token_scopes" + "operation_type" ] }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { @@ -5874,19 +8453,22 @@ "description": "A workflow was disabled.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "workflow_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { @@ -5894,19 +8476,21 @@ "description": "A workflow was enabled, after previously being disabled by disable_workflow.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", + "user_agent", + "request_id", "actor", "actor_id", - "business", - "org", "repo", - "user", - "created_at", + "repo_id", + "workflow_id", + "action", "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", "programmatic_access_type", - "token_scopes" + "request_access_security_header" ] }, { @@ -5914,25 +8498,51 @@ "description": "A workflow was pinned.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { @@ -5940,19 +8550,25 @@ "description": "A workflow was unpinned after previously being pinned.", "docs_reference_links": "N/A", "fields": [ - "@timestamp", - "_document_id", - "action", "actor", "actor_id", - "business", - "org", + "user_agent", + "request_id", "repo", - "user", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", "created_at", "operation_type", - "programmatic_access_type", - "token_scopes" + "actor_is_bot", + "request_access_security_header" ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/ghes-3.14/enterprise.json b/src/audit-logs/data/ghes-3.14/enterprise.json index d3e0210e4f4b..561a36ae4fcb 100644 --- a/src/audit-logs/data/ghes-3.14/enterprise.json +++ b/src/audit-logs/data/ghes-3.14/enterprise.json @@ -2,4086 +2,16249 @@ { "action": "account.billing_date_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "operation_type", + "user_agent", + "_document_id", + "created_at", + "action", + "request_id", + "actor", + "actor_id", + "org_id" + ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { "action": "account_recovery_token.confirm", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "token_id", + "user_id", + "user", + "actor", + "operation_type" + ] }, { "action": "account_recovery_token.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "token_id", + "user", + "request_id", + "_document_id", + "user_agent", + "actor", + "user_id", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "account_recovery_token.recover", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "actor", + "user_agent", + "request_id", + "action", + "_document_id", + "user_id", + "token_id" + ] }, { "action": "actions_cache.delete", "description": "A GitHub Actions cache was deleted using the REST API.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "user_id", + "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "api.request", "description": "An API request was made to an endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests", + "fields": [ + "user_agent", + "request_id", + "request_method", + "query_string", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "request_body", + "status_code", + "url_path", + "business", + "business_id", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "route", + "rate_limit_remaining", + "actor_is_bot" + ], "docs_reference_titles": "Streaming the audit log for your enterprise" }, { "action": "artifact.destroy", "description": "A workflow run artifact was manually deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_agent", + "actor_id", + "repo", + "repo_id", + "request_id", + "@timestamp", + "created_at", + "_document_id", + "operation_type", + "programmatic_access_type" + ] }, { "action": "audit_log_streaming.check", "description": "A manual check of the endpoint configured for audit log streaming was performed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "audit_log_stream_result", + "business_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "audit_log_stream_sink_details", + "request_access_security_header" + ] }, { "action": "audit_log_streaming.create", "description": "An endpoint was added for audit log streaming.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business_id", + "business", + "audit_log_stream_sink", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "audit_log_stream_id" + ] }, { "action": "audit_log_streaming.destroy", "description": "An audit log streaming endpoint was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "audit_log_stream_id", + "audit_log_stream_sink_details" + ] }, { "action": "audit_log_streaming.update", "description": "An endpoint configuration was updated for audit log streaming, such as the stream was paused, enabled, or disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "audit_log_stream_enabled", + "business_id", + "business", + "audit_log_stream_sink", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "new_s3_bucket", + "old_s3_bucket", + "secrets_updated", + "new_s3_arn_role", + "old_s3_arn_role", + "new_azure_blob_container", + "old_azure_blob_container", + "new_event_hub_instance", + "old_event_hub_instance", + "new_splunk_domain", + "old_splunk_domain", + "ssl_verify", + "old_gc_bucket" + ] }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.lock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "@timestamp", + "actor_id", + "operation_type", + "_document_id", + "request_id", + "actor", + "user", + "user_id", + "user_agent", + "created_at", + "action" + ] }, { "action": "billing.unlock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "operation_type", + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "billing.update_bill_cycle_day", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.add_admin", "description": "An enterprise owner was added to an enterprise.", "docs_reference_links": "/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise", + "fields": [ + "name", + "business", + "user", + "user_id", + "@timestamp", + "created_at", + "actor", + "actor_id", + "action", + "operation_type", + "request_id", + "business_id", + "_document_id", + "user_agent", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Inviting people to manage your enterprise" }, { "action": "business.add_organization", "description": "An organization was added to an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "operation_type", + "@timestamp", + "actor", + "business_id", + "org", + "action", + "user_agent", + "actor_id", + "name", + "created_at", + "request_id", + "_document_id", + "business", + "organization_upgrade", + "request_access_security_header" + ] }, { "action": "business_advanced_security.disabled", "description": "GitHub Advanced Security was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.disabled_for_new_user_namespace_repos", "description": "GitHub Advanced Security was disabled for new user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.enabled", "description": "GitHub Advanced Security was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.enabled_for_new_user_namespace_repos", "description": "GitHub Advanced Security was enabled for new user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business.advanced_security_policy_update", "description": "An enterprise owner created, updated, or removed a policy for GitHub Advanced Security.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "business.advanced_security_repo_admin_enablement_policy_update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business_advanced_security.user_namespace_repos_disabled", "description": "GitHub Advanced Security was disabled for user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.user_namespace_repos_enabled", "description": "GitHub Advanced Security was enabled for user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business.clear_actions_settings", "description": "An enterprise owner or site administrator cleared GitHub Actions policy settings for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.clear_default_repository_permission", "description": "An enterprise owner cleared the base repository permission policy setting for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-base-repository-permissions", + "fields": [ + "name", + "operation_type", + "business_id", + "user_agent", + "actor_id", + "request_id", + "actor", + "_document_id", + "business", + "action", + "@timestamp", + "created_at" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.clear_members_can_create_repos", "description": "An enterprise owner cleared a restriction on repository creation in organizations in the enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#setting-a-policy-for-repository-creation", + "fields": [ + "user_agent", + "actor_id", + "business_id", + "action", + "_document_id", + "request_id", + "name", + "business", + "visibility", + "created_at", + "actor", + "operation_type", + "@timestamp" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.code_scanning_autofix_policy_update", "description": "The policy for Code scanning autofix was updated for an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.create", "description": "An enterprise was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "_document_id", + "action", + "@timestamp", + "request_id", + "name", + "business", + "business_id", + "operation_type", + "actor", + "created_at", + "user_agent", + "request_access_security_header" + ] }, { "action": "business_dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for new repositories in your enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business_dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for new repositories in your enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.dependabot_alerts_repo_admin_enablement_policy_update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.disable_open_scim", "description": "SCIM provisioning for custom integrations that use the REST API was disabled for the enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business.disable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the enterprise was disabled.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Displaying IP addresses in the audit log for your enterprise" }, { "action": "business.disable_two_factor_requirement", "description": "The requirement for members to have two-factor authentication enabled to access an enterprise was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "@timestamp", + "actor", + "business", + "operation_type", + "created_at", + "user_agent", + "business_id", + "actor_id", + "name", + "_document_id", + "request_id" + ] }, { "action": "business.enable_open_scim", "description": "SCIM provisioning for custom integrations that use the REST API was enabled for the enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.enable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the enterprise was enabled.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Displaying IP addresses in the audit log for your enterprise" }, { "action": "business.enable_two_factor_requirement", "description": "The requirement for members to have two-factor authentication enabled to access an enterprise was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "actor", + "operation_type", + "created_at", + "business", + "business_id", + "name", + "_document_id", + "request_id", + "@timestamp" + ] }, { "action": "business.members_can_update_protected_branches.clear", "description": "An enterprise owner unset a policy for whether members of an enterprise can update protected branches on repositories for individual organizations. Organization owners can choose whether to allow updating protected branches settings.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_id", + "business", + "name", + "operation_type", + "user", + "user_agent", + "business_id", + "_document_id" + ] }, { "action": "business.members_can_update_protected_branches.disable", "description": "The ability for enterprise members to update branch protection rules was disabled. Only enterprise owners can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "business.members_can_update_protected_branches.enable", "description": "The ability for enterprise members to update branch protection rules was enabled. Enterprise owners and members can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "actor", + "operation_type", + "_document_id", + "business_id", + "user", + "@timestamp", + "business", + "actor_id", + "created_at", + "action", + "user_agent", + "request_id", + "user_id" + ] }, { "action": "business.remove_admin", "description": "An enterprise owner was removed from an enterprise.", "docs_reference_links": "/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise", + "fields": [ + "actor", + "operation_type", + "user_agent", + "business", + "business_id", + "@timestamp", + "created_at", + "request_id", + "action", + "name", + "actor_id", + "user_id", + "_document_id", + "user" + ], "docs_reference_titles": "Inviting people to manage your enterprise" }, { "action": "business.remove_organization", "description": "An organization was removed from an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "action", + "business", + "actor", + "actor_id", + "request_id", + "created_at", + "user_agent", + "business_id", + "operation_type", + "@timestamp", + "_document_id", + "name", + "org" + ] }, { "action": "business.rename_slug", "description": "The slug for the enterprise URL was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "name", + "business_id", + "user_agent", + "action", + "actor_id", + "operation_type", + "actor", + "@timestamp", + "created_at", + "business", + "_document_id" + ] }, { "action": "business.revoke_sso_session", "description": "The SAML single sign-on session for a member in an enterprise was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "business_id", + "user_agent", + "request_id", + "user", + "operation_type", + "actor", + "_document_id", + "actor_id", + "name", + "@timestamp", + "user_id", + "action", + "created_at", + "business" + ] }, { "action": "business_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the business level", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the business level", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_custom_pattern.create", "description": "An enterprise-level custom pattern was created for secret scanning.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "business_secret_scanning_custom_pattern.delete", "description": "An enterprise-level custom pattern was removed from secret scanning.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business_secret_scanning_custom_pattern.publish", "description": "An enterprise-level custom pattern was published for secret scanning.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your enterprise.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "business_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your enterprise.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "business_secret_scanning_custom_pattern.update", "description": "Changes to an enterprise-level custom pattern were saved and a dry run was executed for secret scanning.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business_secret_scanning.disable", "description": "Secret scanning was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning.disabled_for_new_repos", "description": "Secret scanning was disabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning.enable", "description": "Secret scanning was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning.enabled_for_new_repos", "description": "Secret scanning was enabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the enterprise level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "business_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the enterprise level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "business_secret_scanning_push_protection_custom_message.disable", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_custom_message.enable", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_custom_message.update", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.disable", "description": "Push protection for secret scanning was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.disabled_for_new_repos", "description": "Push protection for secret scanning was disabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.enable", "description": "Push protection for secret scanning was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.enabled_for_new_repos", "description": "Push protection for secret scanning was enabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed", "description": "The push protection setting was changed for a secret type for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "secret_type", + "secret_type_display_name", + "push_protection_setting" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business.secret_scanning_repo_admin_settings_policy_update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business.set_actions_fork_pr_approvals_policy", "description": "The policy for requiring approvals for workflows from public forks was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "limit", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_fork_pr_workflows_policy", "description": "The policy for fork pull request workflows was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.sso_response", "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your enterprise. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "issuer", + "name", + "user_agent", + "action", + "@timestamp", + "_document_id", + "actor", + "business", + "business_id", + "actor_id", + "created_at", + "request_id", + "operation_type", + "request_access_security_header" + ] }, { "action": "business.update_actions_settings", "description": "An enterprise owner or site administrator updated GitHub Actions policy settings for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "updated_github_owned_allowed", + "updated_verified_allowed", + "updated_patterns", + "new_policy", + "old_policy", + "updated_access_policy" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.update_default_repository_permission", "description": "The base repository permission setting was updated for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-base-repository-permissions", + "fields": [ + "business_id", + "operation_type", + "user_agent", + "actor", + "actor_id", + "permission", + "action", + "created_at", + "@timestamp", + "request_id", + "name", + "_document_id", + "old_permission", + "business" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.update_member_repository_creation_permission", "description": "The repository creation setting was updated for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-creation", + "fields": [ + "created_at", + "_document_id", + "request_id", + "name", + "business_id", + "actor", + "actor_id", + "@timestamp", + "operation_type", + "permission", + "action", + "business", + "user_agent", + "visibility" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.update_member_repository_invitation_permission", "description": "The policy setting for enterprise members inviting outside collaborators to repositories was updated.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-inviting-outside-collaborators-to-repositories", + "fields": [ + "business_id", + "created_at", + "action", + "operation_type", + "@timestamp", + "request_id", + "permission", + "actor", + "actor_id", + "name", + "_document_id", + "user_agent", + "business" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.delete_logs", "description": "Logs in a check suite were deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "actor_id", + "operation_type", + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" + ] }, { "action": "code.search", "description": "A code search was run targeting an organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/search-github/github-code-search", + "fields": [ + "@timestamp", + "action", + "actor_id", + "business_id", + "query", + "org_id", + "user_id", + "_document_id", + "search_string" + ], "docs_reference_titles": "/search-github/github-code-search" }, { "action": "codespaces.allow_permissions", "description": "A codespace using custom permissions from its devcontainer.json file was launched.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "origin_repository", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.connect", "description": "Credentials for a codespace were refreshed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { "action": "codespaces.export_environment", "description": "A codespace was exported to a branch on GitHub.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "codespaces.restore", "description": "A codespace was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.start_environment", "description": "A codespace was started.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "org", + "owner", + "pull_request_id", + "machine_type", + "user_id", + "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "codespaces.suspend_environment", "description": "A codespace was stopped.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "copilot.cfb_seat_added", "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { "action": "copilot.cfb_seat_assignment_refreshed", "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_reused", "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_assignment_unassigned", "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "seat_assignment", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled_by_staff", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "custom_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_property_definition.create", "description": "A new custom property definition was created.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.destroy", "description": "A custom property definition was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id", + "allowed_values" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.update", "description": "A custom property definition was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "value_type", + "required", + "default_value", + "old_allowed_values", + "allowed_values", + "definition_id", + "old_required", + "old_default_value", + "old_value_type", + "old_values_editable_by", + "values_editable_by", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.create", "description": "A repository's custom property value was manually set for the first time.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "definition_id", + "property_name", + "value", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.destroy", "description": "A repository's custom property value was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.update", "description": "A repository's custom property value was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_repository_access.repositories_updated", "description": "The repositories that Dependabot can access were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates.enable", "description": "Dependabot security updates were enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates_new_repos.enable", "description": "Dependabot security updates were enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph.enable", "description": "The dependency graph was enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph_new_repos.enable", "description": "The dependency graph was enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "discussion_post.destroy", "description": "Triggered when a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "request_id", + "team", + "created_at", + "user_id", + "@timestamp", + "number", + "org", + "title", + "actor", + "actor_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.destroy", "description": "Triggered when a reply to a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "actor_id", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user_id", + "actor", + "number", + "user", + "created_at", + "request_id", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.update", "description": "Triggered when a reply to a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "action", + "_document_id", + "request_id", + "org", + "@timestamp", + "actor_id", + "operation_type", + "user", + "user_id", + "org_id", + "user_agent", + "actor", + "number", + "team", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "discussion_post.update", "description": "Triggered when a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "created_at", + "_document_id", + "title", + "user", + "user_agent", + "org", + "operation_type", + "actor_id", + "@timestamp", + "actor", + "team", + "action", + "org_id", + "request_id", + "user_id", + "number" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "enterprise_announcement.create", "description": "A global announcement banner was created for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global-announcement-banner", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.destroy", "description": "A global announcement banner was removed from the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.update", "description": "A global announcement banner was updated for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "old_message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "enterprise_domain.approve", "description": "A domain was approved for an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#approving-a-domain-for-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_domain.create", "description": "A domain was added to an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#verifying-a-domain-for-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_domain.destroy", "description": "A domain was removed from an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#removing-an-approved-or-verified-domain", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_domain.verify", "description": "A domain was verified for an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#verifying-a-domain-for-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise.register_self_hosted_runner", "description": "A new GitHub Actions self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "enterprise.remove_self_hosted_runner", "description": "A GitHub Actions self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "enterprise.runner_group_created", "description": "A GitHub Actions self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "enterprise.runner_group_removed", "description": "A GitHub Actions self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "enterprise.runner_group_runner_removed", "description": "The REST API was used to remove a GitHub Actions self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "enterprise.runner_group_runners_added", "description": "A GitHub Actions self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "enterprise.runner_group_runners_updated", "description": "A GitHub Actions runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "enterprise.runner_group_updated", "description": "The configuration of a GitHub Actions self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "enterprise.self_hosted_runner_offline", "description": "The GitHub Actions runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "business_id", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "enterprise.self_hosted_runner_online", "description": "The GitHub Actions runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "business_id", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "enterprise.self_hosted_runner_updated", "description": "The GitHub Actions runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "business_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "enterprise_team.add_member", "description": "A new member was added to the enterprise team or an IdP group linked to an enterprise team, or an IdP group was linked to an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "user", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "enterprise_team.copilot_assignment", "description": "A license for GitHub Copilot was assigned to an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "enterprise_team.copilot_unassignment", "description": "A license for GitHub Copilot was unassigned from an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "enterprise_team.create", "description": "A new enterprise team was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "enterprise_team.destroy", "description": "An enterprise team was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "enterprise_team.remove_member", "description": "A member was removed from the enterprise team or an IdP group linked to an enterprise team, or an IdP group was unlinked from an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "user", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "enterprise_team.rename", "description": "The name of an enterprise team was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.delete", "description": "An environment was deleted.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_secret", "description": "A secret was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "external_group.add_member", "description": "A user was added to an external group.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "external_group", + "external_group_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_group.delete", "description": "An external group was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "scim_group_id" + ] }, { "action": "external_group.link", "description": "An external group was linked to a GitHub team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "external_group_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "external_group", + "programmatic_access_type", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_group.provision", "description": "An external group was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "external_group.remove_member", "description": "A user was removed from an external group.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "external_group", + "external_group_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "external_group.scim_api_failure", "description": "Failed external group SCIM API request.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_group_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_group.scim_api_success", "description": "Successful external group SCIM API request. Excludes GET API requests.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_group.unlink", "description": "An external group was unlinked to a GitHub team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "external_group_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "external_group" + ] }, { "action": "external_group.update", "description": "An external group was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_group.update_display_name", "description": "An external group's display name was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "external_group_id", + "external_group", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_identity.deprovision", "description": "An external identity was deprovisioned, suspending the linked GitHub user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "external_identity.provision", "description": "An external identity was created and linked to a GitHub user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "action", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "scim_user_id", + "request_access_security_header" + ] }, { "action": "external_identity.scim_api_failure", "description": "Failed external identity SCIM API request.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_user_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_identity.scim_api_success", "description": "Successful external identity SCIM API request. Excludes GET API requests.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_identity.update", "description": "An external identity was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "action", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "scim_user_id", + "request_access_security_header" + ] }, { "action": "gist.create", "description": "A gist was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "user", + "gist_id", + "@timestamp", + "created_at", + "operation_type", + "user_agent", + "actor", + "actor_id", + "visibility", + "action", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "gist.destroy", "description": "A gist was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "gist_id", + "visibility", + "created_at", + "_document_id", + "user", + "request_id", + "operation_type", + "actor", + "actor_id", + "action", + "user_agent", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "gist.visibility_change", "description": "The visibility of a gist was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "user", + "gist_id", + "actor_id", + "request_id", + "visibility", + "user_id", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "git.clone", "description": "A repository was cloned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.fetch", "description": "Changes were fetched from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.push", "description": "Changes were pushed to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git_signing_ssh_public_key.create", "description": "An SSH key was added to a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "git_signing_ssh_public_key.delete", "description": "An SSH key was removed from a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "explanation", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "github_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "github_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "github_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "gpg_key.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "created_at", + "user_id", + "@timestamp", + "user", + "operation_type", + "_document_id", + "actor", + "action", + "user_agent", + "request_access_security_header" + ] }, { "action": "gpg_key.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor", + "actor_id", + "user", + "action", + "created_at", + "_document_id", + "user_agent", + "@timestamp", + "request_access_security_header" + ] }, { "action": "hook.active_changed", "description": "A hook's active status was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "hook.config_changed", "description": "A hook's configuration was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "name", + "org", + "user_agent", + "request_id", + "hook_id", + "repo", + "repo_id", + "created_at", + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { "action": "hook.destroy", "description": "A hook was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", + "operation_type", + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.events_changed", "description": "A hook's configured events were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "operation_type", + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "integration.create", "description": "A GitHub App was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "@timestamp", + "actor", + "user_agent", + "actor_id", + "request_id", + "name", + "user_id", + "_document_id", + "integration", + "created_at", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration.destroy", "description": "A GitHub App was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "actor_id", + "request_id", + "@timestamp", + "name", + "integration", + "user", + "_document_id", + "action", + "operation_type", + "created_at", + "user_agent" + ] }, { "action": "integration.generate_client_secret", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { "action": "integration.remove_client_secret", "description": "A client secret for a GitHub App was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "integration.revoke_all_tokens", "description": "All user tokens for a GitHub App were requested to be revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.revoke_tokens", "description": "Token(s) for a GitHub App were revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" }, { "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "ip_allow_list.disable", "description": "An IP allow list was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "actor", + "request_id", + "org", + "user_agent", + "_document_id", + "user_id", + "actor_id", + "created_at", + "org_id", + "action", + "@timestamp", + "user" + ] }, { "action": "ip_allow_list.disable_for_installed_apps", "description": "An IP allow list was disabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list.disable_user_level_enforcement", "description": "IP allow list user level enforcement was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ip_allow_list.enable", "description": "An IP allow list was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "business", + "user_id", + "request_id", + "actor", + "user", + "business_id", + "_document_id", + "action", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "org", + "created_at" + ] }, { "action": "ip_allow_list.enable_for_installed_apps", "description": "An IP allow list was enabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list.enable_user_level_enforcement", "description": "IP allow list user level enforcement was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ip_allow_list_entry.create", "description": "An IP address was added to an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "active", + "org", + "ip_allow_list_entry", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "actor_id", + "business_id", + "org_id", + "business", + "actor", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.destroy", "description": "An IP address was deleted from an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "ip_allow_list_entry", + "org", + "operation_type", + "created_at", + "active", + "action", + "@timestamp", + "business", + "business_id", + "user_agent", + "org_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.update", "description": "An IP address or its description was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "actor", + "org", + "action", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "ip_allow_list_entry", + "active", + "org_id", + "@timestamp" + ] }, { "action": "marketplace_agreement_signature.create", "description": "The GitHub Marketplace Developer Agreement was signed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "actor_id", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "created_at", + "action", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "marketplace_listing.approve", "description": "A listing was approved for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "secondary_category", + "actor", + "primary_category", + "user", + "@timestamp", + "_document_id", + "user_id", + "user_agent", + "operation_type", + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" + ] }, { "action": "marketplace_listing.change_category", "description": "A category for a listing for an app in GitHub Marketplace was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", + "@timestamp", + "integration", + "org_id", + "action", + "org", + "secondary_category", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ] }, { "action": "marketplace_listing.create", "description": "A listing for an app in GitHub Marketplace was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", + "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", + "actor", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "marketplace_listing.delist", "description": "A listing was removed from GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "created_at", + "secondary_category", + "operation_type", + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" + ] }, { "action": "marketplace_listing_plan.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "actor", + "action", + "operation_type", + "marketplace_listing", + "has_free_trial", + "user_agent", + "request_id", + "actor_id", + "yearly_price_in_cents", + "description", + "bullets", + "monthly_price_in_cents", + "marketplace_listing_plan", + "_document_id" + ] }, { "action": "marketplace_listing_plan.publish", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "marketplace_listing_plan", + "marketplace_listing", + "description", + "bullets", + "has_free_trial", + "created_at", + "actor_id", + "operation_type", + "_document_id", + "action", + "user_agent", + "request_id", + "actor", + "monthly_price_in_cents", + "yearly_price_in_cents", + "@timestamp" + ] }, { "action": "marketplace_listing_plan.retire", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "marketplace_listing_plan", + "_document_id", + "request_id", + "description", + "yearly_price_in_cents", + "@timestamp", + "created_at", + "actor_id", + "bullets", + "has_free_trial", + "marketplace_listing", + "user_agent", + "monthly_price_in_cents", + "action", + "operation_type" + ] }, { "action": "marketplace_listing_plan.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "monthly_price_in_cents", + "marketplace_listing", + "_document_id", + "action", + "description", + "bullets", + "yearly_price_in_cents", + "request_id", + "actor_id", + "has_free_trial", + "marketplace_listing_plan", + "user_agent", + "@timestamp", + "operation_type", + "actor", + "created_at" + ] }, { "action": "marketplace_listing.redraft", "description": "A listing was sent back to draft state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", + "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", + "actor", + "created_at", + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" + ] }, { "action": "marketplace_listing.reject", "description": "A listing was not accepted for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "merge_queue.pull_request_dequeued", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "merge_queue.pull_request_queue_jump", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.queue_cleared", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.update_settings", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "metered_billing_configuration.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "_document_id", + "user_id", + "action", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "metered_billing_configuration.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "metered_billing_configuration.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "org", + "created_at", + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" + ] }, { "action": "migration.create", "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org_id", + "_document_id", + "org", + "repo_id", + "action", + "actor", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "oauth_access.create", "description": "An OAuth access token was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, /authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token", + "fields": [ + "_document_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "user", + "user_id", + "created_at", + "action", + "actor_id", + "request_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, Managing your personal access tokens" }, { "action": "oauth_access.destroy", "description": "An OAuth access token was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps", + "fields": [ + "@timestamp", + "user_agent", + "action", + "operation_type", + "_document_id", + "actor", + "created_at", + "user", + "user_id", + "request_id", + "explanation", + "hashed_token", + "actor_id", + "token_scopes", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_access.regenerate", "description": "An OAuth access token was regenerated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "_document_id", + "created_at", + "@timestamp", + "operation_type", + "action", + "user_agent", + "request_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "oauth_application_name" + ] }, { "action": "oauth_access.update", "description": "An OAuth access token was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "action", + "@timestamp", + "user", + "user_agent", + "request_access_security_header" + ] }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.generate_client_secret", "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.suspend", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user_agent", + "org_id", + "org", + "operation_type", + "oauth_application_id", + "action", + "created_at", + "actor", + "actor_id", + "oauth_application", + "_document_id", + "request_id" + ] }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.unsuspend", "description": "An OAuth application was unsuspended for a user or organization account.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "operation_type", + "org_id", + "action", + "oauth_application_id", + "oauth_application", + "org", + "created_at", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_authorization.create", "description": "An authorization for an OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "operation_type", + "user_agent", + "user_id", + "actor", + "org_id", + "_document_id", + "request_id", + "action", + "@timestamp", + "created_at", + "actor_id", + "user", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_authorization.destroy", "description": "An authorization for an OAuth application was deleted.", "docs_reference_links": "/apps/using-github-apps/reviewing-your-authorized-integrations", + "fields": [ + "user_agent", + "_document_id", + "request_id", + "operation_type", + "@timestamp", + "actor", + "created_at", + "explanation", + "user", + "user_id", + "org_id", + "action", + "actor_id", + "token_scopes", + "actor_is_bot", + "oauth_application_name" + ], "docs_reference_titles": "Reviewing and revoking authorization of GitHub Apps" }, { "action": "oauth_authorization.update", "description": "An authorization for an OAuth application was updated.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "org_id", + "request_id", + "user_id", + "actor", + "actor_id", + "user_agent", + "@timestamp", + "operation_type", + "action", + "user", + "created_at", + "_document_id", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "org.accept_business_invitation", "description": "An invitation sent to an organization to join an enterprise was accepted.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.add_billing_manager", "description": "A billing manager was added to an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization", + "fields": [ + "operation_type", + "_document_id", + "user_agent", + "org", + "user_id", + "action", + "created_at", + "org_id", + "user", + "actor", + "actor_id", + "@timestamp", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization" }, { "action": "org.add_member", "description": "A user joined an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "permission", + "_document_id", + "org", + "operation_type", + "request_id", + "actor", + "user", + "@timestamp", + "created_at", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "org.add_outside_collaborator", "description": "An outside collaborator was added to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "inviter", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.add_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.advanced_security_disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_disabled_on_all_repos", "description": "GitHub Advanced Security was disabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_on_all_repos", "description": "GitHub Advanced Security was enabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_policy_selected_member_disabled", "description": "An enterprise owner prevented GitHub Advanced Security features from being enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_enabled", "description": "An enterprise owner allowed GitHub Advanced Security features to be enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.async_delete", "description": "A user initiated a background job to delete an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "request_id", + "org", + "org_id", + "user_agent", + "created_at" + ] }, { "action": "org.billing_signup_error", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_agent", + "action", + "@timestamp", + "actor_id", + "org_id", + "_document_id", + "actor", + "org", + "operation_type" + ] }, { "action": "org.block_user", "description": "An organization owner blocked a user from accessing the organization's repositories.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization", + "fields": [ + "actor", + "user_agent", + "org_id", + "created_at", + "_document_id", + "blocked_user", + "action", + "operation_type", + "actor_id", + "org", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization" }, { "action": "org.cancel_business_invitation", "description": "An invitation for an organization to join an enterprise was revoked", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "initiated_from" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.cancel_invitation", "description": "An invitation sent to a user to join an organization was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "org_id", + "request_id", + "email", + "@timestamp", + "actor", + "action", + "operation_type", + "user_agent", + "org", + "invitation_id", + "_document_id", + "created_at", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.clear_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "org.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.codeql_disabled", "description": "Code scanning using the default setup was disabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codeql_enabled", "description": "Code scanning using the default setup was enabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.config.disable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "request_id", + "org", + "action", + "operation_type", + "_document_id", + "actor", + "actor_id", + "@timestamp", + "user_agent", + "org_id", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "operation_type", + "@timestamp", + "created_at", + "user_agent", + "action", + "actor_id", + "org", + "_document_id", + "actor", + "org_id", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "_document_id", + "operation_type", + "actor_id", + "org_id", + "action", + "created_at", + "actor", + "org", + "@timestamp", + "user_agent", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "actor", + "org", + "org_id", + "request_id", + "operation_type", + "action", + "user_agent" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor", + "actor_id", + "org_id", + "action", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "org", + "created_at", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor_id", + "request_id", + "action", + "created_at", + "user_agent", + "actor", + "_document_id", + "org_id", + "operation_type", + "org", + "@timestamp" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.confirm_business_invitation", "description": "An invitation for an organization to join an enterprise was confirmed.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.create", "description": "An organization was created.", "docs_reference_links": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch", + "fields": [ + "request_id", + "org", + "actor_id", + "actor", + "action", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "org_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch" }, { "action": "org.delete", "description": "An organization was deleted by a user or staff.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "@timestamp", + "_document_id", + "created_at", + "actor", + "org_id", + "org", + "action", + "actor_id", + "operation_type", + "request_id", + "request_access_security_header" + ] }, { "action": "org.disable_member_team_creation_permission", "description": "Team creation was limited to owners.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "actor", + "@timestamp", + "_document_id", + "user", + "user_id", + "action", + "created_at", + "actor_id", + "user_agent", + "org", + "org_id", + "operation_type", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.disable_reader_discussion_creation_permission", "description": "An organization owner limited discussion creation to users with at least triage permission in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.disable_saml", "description": "SAML single sign-on was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "sso_url", + "issuer", + "action", + "@timestamp", + "_document_id", + "created_at", + "org", + "operation_type" + ] }, { "action": "org.disable_two_factor_requirement", "description": "A two-factor authentication requirement was disabled for the organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "org_id", + "action", + "actor", + "actor_id", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "user_agent" + ] }, { "action": "org.display_commenter_full_name_disabled", "description": "An organization owner disabled the display of a commenter's full name in an organization. Members cannot see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "user", + "action", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "user_agent", + "org", + "actor_id", + "org_id", + "request_id" + ] }, { "action": "org.display_commenter_full_name_enabled", "description": "An organization owner enabled the display of a commenter's full name in an organization. Members can see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_agent", + "request_id", + "actor", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "user", + "action", + "actor_id", + "org_id" + ] }, { "action": "org.enable_member_team_creation_permission", "description": "Team creation by members was allowed.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "org_id", + "user", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "user_agent", + "actor_id", + "org", + "request_id", + "action", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.enable_reader_discussion_creation_permission", "description": "An organization owner allowed users with read access to create discussions in an organization", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.enable_saml", "description": "SAML single sign-on was enabled for the organization.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization", + "fields": [ + "actor_id", + "action", + "operation_type", + "actor", + "sso_url", + "org", + "created_at", + "@timestamp", + "issuer", + "org_id", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Enabling and testing SAML single sign-on for your organization" }, { "action": "org.enable_two_factor_requirement", "description": "Two-factor authentication is now required for the organization.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "actor_id", + "action", + "_document_id", + "org", + "@timestamp", + "actor", + "user_agent", + "org_id", + "operation_type", + "created_at", + "request_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.integration_manager_added", "description": "An organization owner granted a member access to manage all GitHub Apps owned by an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "org_id", + "manager", + "@timestamp", + "request_id", + "actor", + "operation_type", + "_document_id", + "actor_id", + "org", + "action", + "created_at" + ] }, { "action": "org.integration_manager_removed", "description": "An organization owner removed access to manage all GitHub Apps owned by an organization from an organization member.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "@timestamp", + "org", + "user_agent", + "request_id", + "action", + "actor", + "actor_id", + "manager", + "operation_type", + "created_at", + "_document_id" + ] }, { "action": "org.invite_member", "description": "A new user was invited to join an organization.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization", + "fields": [ + "org", + "user_id", + "invitation_id", + "org_id", + "user", + "action", + "operation_type", + "_document_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "actor_id", + "request_id", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization" }, { "action": "org.invite_to_business", "description": "An organization was invited to join an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.members_can_update_protected_branches.disable", "description": "The ability for enterprise members to update protected branches was disabled. Only enterprise owners can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "org.members_can_update_protected_branches.enable", "description": "The ability for enterprise members to update protected branches was enabled. Members of an organization can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "org_id", + "user_agent", + "actor_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "request_id", + "_document_id", + "actor", + "user", + "action" + ] }, { "action": "org.rate_limited_invites", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "org_id", + "action", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org" + ] }, { "action": "org.recreate", "description": "An organization was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "action", + "operation_type", + "_document_id", + "user_agent", + "actor_id", + "@timestamp", + "request_id", + "actor", + "org_id" + ] }, { "action": "org.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization", + "fields": [ + "actor", + "operation_type", + "@timestamp", + "_document_id", + "request_id", + "org", + "org_id", + "action", + "created_at", + "user_agent", + "actor_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "org.remove_billing_manager", "description": "A billing manager was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "user_id", + "user_agent", + "org_id", + "user", + "action", + "_document_id", + "operation_type", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "created_at" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.remove_member", "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "actor_id", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", + "created_at", + "user", + "operation_type", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.remove_outside_collaborator", "description": "An outside collaborator was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user", + "org_id", + "created_at", + "request_id", + "@timestamp", + "action", + "operation_type", + "user_agent", + "_document_id", + "actor", + "actor_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "org.remove_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization", + "fields": [ + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor_id", + "org", + "created_at", + "actor", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "org.rename", "description": "An organization was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "@timestamp", + "org", + "action", + "actor", + "old_login", + "org_id", + "request_id", + "actor_id", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "org.restore_member", "description": "An organization member was restored.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization", + "fields": [ + "user", + "actor", + "user_id", + "_document_id", + "action", + "created_at", + "org_id", + "operation_type", + "request_id", + "@timestamp", + "user_agent", + "org", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization" }, { "action": "org.runner_group_created", "description": "A self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_removed", "description": "A self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runner_removed", "description": "The REST API was used to remove a self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "org.runner_group_runners_added", "description": "A self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runners_updated", "description": "A runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "org.runner_group_updated", "description": "The configuration of a self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_disabled", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_enabled", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_updated", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_disable", "description": "Push protection for secret scanning was disabled.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_enable", "description": "Push protection for secret scanning was enabled.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_disable", "description": "Push protection for secret scanning was disabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_enable", "description": "Push protection for secret scanning was enabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed", "description": "The push protection setting was changed for a secret type for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "secret_type", + "secret_type_display_name", + "push_protection_setting" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "org.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "org_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { "action": "org.set_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "org_id", + "operation_type", + "actor", + "actor_id", + "@timestamp", + "request_id", + "created_at", + "org", + "action" + ] }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "org.sso_response", "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "user_agent", + "actor", + "actor_id", + "org_id", + "@timestamp", + "org", + "issuer", + "business", + "operation_type", + "created_at", + "request_id", + "business_id", + "_document_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.transform", "description": "A user account was converted into an organization.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/converting-a-user-into-an-organization", + "fields": [ + "actor", + "_document_id", + "request_id", + "operation_type", + "actor_id", + "org_id", + "org", + "action", + "@timestamp", + "created_at", + "user_agent", + "owner", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/converting-a-user-into-an-organization" }, { "action": "org.unblock_user", "description": "A user was unblocked from an organization.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization", + "fields": [ + "oauth_application_id", + "_document_id", + "blocked_user", + "action", + "operation_type", + "@timestamp", + "request_id", + "created_at", + "actor", + "actor_id", + "org", + "org_id", + "user_agent" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization" }, { "action": "org.update_actions_settings", "description": "An organization owner or site administrator updated GitHub Actions policy settings for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "updated_allowed_types", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization" }, { "action": "org.update_default_repository_permission", "description": "The default repository permission level for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "operation_type", + "created_at", + "org", + "org_id", + "request_id", + "@timestamp", + "user_agent", + "permission", + "actor_id", + "old_permission", + "_document_id", + "programmatic_access_type" + ] }, { "action": "org.update_member", "description": "A person's role was changed from owner to member or member to owner.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "org_id", + "created_at", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "actor_id", + "old_permission", + "permission", + "actor", + "user_agent", + "operation_type", + "org" + ] }, { "action": "org.update_member_repository_creation_permission", "description": "The create repository permission for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "@timestamp", + "request_id", + "actor_id", + "permission", + "created_at", + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" + ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "org.update_saml_provider_settings", "description": "An organization's SAML provider settings were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "sso_url", + "actor_id", + "operation_type", + "@timestamp", + "issuer", + "org", + "_document_id", + "actor", + "org_id", + "created_at", + "request_id", + "action" + ] }, { "action": "org.update_terms_of_service", "description": "An organization changed between the Standard Terms of Service and the GitHub Customer Agreement.", "docs_reference_links": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement", + "fields": [ + "request_id", + "org_id", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org", + "action", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement" }, { "action": "organization_domain.approve", "description": "A domain was approved for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization" }, { "action": "organization_domain.create", "description": "A domain was added to an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "created_at", + "_document_id", + "domain_name", + "action", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "user_agent", + "actor" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "organization_domain.destroy", "description": "A domain was removed from an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain", + "fields": [ + "action", + "domain_name", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "created_at" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain" }, { "action": "organization_domain.verify", "description": "A domain was verified for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "operation_type", + "domain_name", + "@timestamp", + "user_agent", + "request_id", + "actor", + "action", + "created_at", + "_document_id", + "actor_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "packages.package_deleted", "description": "An entire package was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_published", "description": "A package was published or republished to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "ecosystem", + "version_count", + "is_republished", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "packages.package_version_deleted", "description": "A specific package version was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "version", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "ecosystem", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_version_published", "description": "A specific package version was published or republished to a package.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "ecosystem", + "package", + "version", + "actor_id", + "user_agent", + "is_republished", + "actor", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "passkey.register", "description": "A new passkey was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "passkey.remove", "description": "A new passkey was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "payment_method.create", "description": "A new payment method was added, such as a new credit card or PayPal account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", + "_document_id", + "action", + "actor", + "actor_id", + "@timestamp", + "created_at", + "request_access_security_header" + ] }, { "action": "payment_method.remove", "description": "A payment method was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", + "operation_type", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "payment_method.update", "description": "An existing payment method was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", + "@timestamp", + "action", + "actor", + "org", + "user_agent", + "_document_id", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.create", "description": "Triggered when you create a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "personal_access_token.credential_regenerated", "description": "Triggered when you regenerate a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.credential_revoked", "description": "A fine-grained personal access token was revoked by GitHub Advanced Security.", "docs_reference_links": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users", + "fields": [ + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users" }, { "action": "personal_access_token.destroy", "description": "Triggered when you delete a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "explanation", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.update", "description": "A fine-grained personal access token was updated.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens" }, { "action": "premium_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { "action": "project.access", "description": "A project board visibility was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "user_agent", + "operation_type", + "user", + "created_at", + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" + ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { "action": "project.create", "description": "A project board was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user", + "_document_id", + "request_id", + "user_id", + "user_agent", + "@timestamp", + "actor_id", + "action", + "created_at", + "actor" + ] }, { "action": "project.delete", "description": "A project board was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "actor_id", + "operation_type", + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" + ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { "action": "project.link", "description": "A repository was linked to a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "action", + "actor_id", + "org_id", + "user_agent", + "request_id", + "actor", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" + ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { "action": "project.rename", "description": "A project board was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", + "@timestamp", + "repo", + "_document_id", + "user_agent", + "org_id", + "business_id", + "actor", + "repo_id", + "org", + "business" + ] }, { "action": "project.unlink", "description": "A repository was unlinked from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "operation_type", + "actor", + "action", + "created_at", + "actor_id", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "org", + "org_id" + ] }, { "action": "project.update_org_permission", "description": "The project's base-level permission for all organization members was changed or removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" + ] }, { "action": "project.update_team_permission", "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org_id", + "operation_type", + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" + ] }, { "action": "project.update_user_permission", "description": "A user was added to or removed from a project board or had their permission level changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "operation_type", + "@timestamp", + "actor_id", + "user", + "user_agent", + "actor", + "created_at", + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" + ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "protected_branch.authorized_users_teams", "description": "The users, teams, or integrations allowed to bypass a branch protection were changed.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "fields": [ + "repo", + "action", + "org_id", + "user_agent", + "name", + "created_at", + "_document_id", + "operation_type", + "actor", + "repo_id", + "org", + "request_id", + "actor_id", + "oauth_application_id", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches" }, { "action": "protected_branch.branch_allowances", "description": "A protected branch allowance was given to a specific user, team or integration.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "name", + "authorized_actors", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "protected_branch.create", "description": "Branch protection was enabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "repo_id", + "user_id", + "@timestamp", + "user_agent", + "repo", + "name", + "org_id", + "user", + "_document_id", + "request_id", + "actor", + "actor_id", + "org", + "action", + "created_at", + "authorized_actor_names", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.destroy", "description": "Branch protection was disabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "repo", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "repo_id", + "org_id", + "operation_type", + "action", + "user_agent", + "created_at", + "_document_id", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.dismiss_stale_reviews", "description": "Enforcement of dismissing stale pull requests was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "dismiss_stale_reviews_on_push", + "org_id", + "action", + "created_at", + "request_id", + "_document_id", + "@timestamp", + "actor_id", + "repo_id", + "operation_type", + "actor", + "repo", + "org", + "name", + "programmatic_access_type" + ] }, { "action": "protected_branch.dismissal_restricted_users_teams", "description": "Enforcement of restricting users and/or teams who can dismiss reviews was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "actor", + "oauth_application_id", + "authorized_actors_only", + "authorized_actors", + "created_at", + "user_agent", + "name", + "_document_id", + "org_id", + "request_id", + "@timestamp", + "actor_id", + "org", + "action", + "operation_type", + "programmatic_access_type" + ] }, { "action": "protected_branch.policy_override", "description": "A branch protection requirement was overridden by a repository administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "created_at", + "actor", + "reasons", + "@timestamp", + "before", + "after", + "actor_id", + "repo", + "operation_type", + "user_agent", + "branch", + "overridden_codes", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "referrer", + "business", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "rule_suite_id" + ] }, { "action": "protected_branch.rejected_ref_update", "description": "A branch update attempt was rejected.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "@timestamp", + "created_at", + "_document_id", + "business", + "org_id", + "operation_type", + "request_id", + "repo_id", + "actor", + "branch", + "before", + "overridden_codes", + "after", + "action", + "reasons", + "actor_id", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "actor_is_bot", + "rule_suite_id" + ] }, { "action": "protected_branch.update_admin_enforced", "description": "Branch protection was enforced for repository administrators.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "admin_enforced", + "operation_type", + "user_agent", + "actor", + "org", + "name", + "repo", + "@timestamp", + "action", + "repo_id", + "org_id", + "_document_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_allow_deletions_enforcement_level", "description": "Branch deletion was enabled or disabled for a protected branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "operation_type", + "request_id", + "repo", + "@timestamp", + "org_id", + "org", + "action", + "allow_deletions_enforcement_level", + "_document_id", + "created_at", + "actor_id", + "user_agent", + "actor", + "repo_id", + "request_access_security_header" + ] }, { "action": "protected_branch.update_allow_force_pushes_enforcement_level", "description": "Force pushes were enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "actor_id", + "name", + "_document_id", + "actor", + "repo", + "operation_type", + "request_id", + "allow_force_pushes_enforcement_level", + "@timestamp", + "org", + "action", + "created_at", + "user_agent", + "repo_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_ignore_approvals_from_contributors", "description": "Ignoring of approvals from contributors to a pull request was enabled or disabled for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "ignore_approvals_from_contributors", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "protected_branch.update_linear_history_requirement_enforcement_level", "description": "Required linear commit history was enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "operation_type", + "actor", + "linear_history_requirement_enforcement_level", + "repo", + "request_id", + "name", + "org_id", + "repo_id", + "org", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_lock_allows_fetch_and_merge", "description": "Fork syncing was enabled or disabled for a read-only branch", "docs_reference_links": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "lock_allows_fetch_and_merge", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_lock_branch_enforcement_level", "description": "The enforcement of a branch lock was updated.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "enforcement_level", + "lock_branch_enforcement_level", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { "action": "protected_branch.update_name", "description": "A branch name pattern was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "old_name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "protected_branch.update_pull_request_reviews_enforcement_level", "description": "Enforcement of required pull request reviews was updated for a branch. Can be 0 (deactivated), 1 (non-admins), or 2 (everyone).", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "org_id", + "_document_id", + "actor_id", + "@timestamp", + "business_id", + "request_id", + "pull_request_reviews_enforcement_level", + "org", + "repo", + "action", + "business", + "user_agent", + "created_at", + "repo_id", + "operation_type", + "actor", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_code_owner_review", "description": "Enforcement of required code owner review was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "created_at", + "require_code_owner_review", + "operation_type", + "name", + "user_agent", + "action", + "@timestamp", + "actor", + "actor_id", + "repo", + "request_id", + "org", + "repo_id", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_last_push_approval", "description": "Someone other than the person who pushed the last code-modifying commit to the branch must approve pull requests for the branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "require_last_push_approval", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging" }, { "action": "protected_branch.update_required_approving_review_count", "description": "Enforcement of the required number of approvals before merging was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "required_approving_review_count", + "repo", + "request_id", + "repo_id", + "created_at", + "actor", + "operation_type", + "user_agent", + "name", + "org_id", + "action", + "actor_id", + "_document_id", + "org", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_required_status_checks_enforcement_level", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "user_agent", + "@timestamp", + "_document_id", + "name", + "repo", + "action", + "business_id", + "repo_id", + "business", + "actor_id", + "operation_type", + "created_at", + "request_id", + "required_status_checks_enforcement_level", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_signature_requirement_enforcement_level", "description": "Enforcement of required commit signing was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "name", + "@timestamp", + "created_at", + "_document_id", + "request_id", + "repo_id", + "org", + "org_id", + "action", + "actor", + "actor_id", + "signature_requirement_enforcement_level", + "repo", + "user_agent", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_strict_required_status_checks_policy", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "_document_id", + "org", + "@timestamp", + "created_at", + "repo_id", + "org_id", + "user_agent", + "name", + "actor", + "repo", + "operation_type", + "action", + "strict_required_status_checks_policy", + "programmatic_access_type" + ] }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verify", "description": "A user account's SSH key or a repository's deploy key was verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "pull_request.close", "description": "A pull request was closed without being merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request" }, { "action": "pull_request.converted_to_draft", "description": "A pull request was converted to a draft.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft" }, { "action": "pull_request.create", "description": "A pull request was created.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request" }, { "action": "pull_request.create_review_request", "description": "A review was requested on a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.in_progress", "description": "A pull request was marked as in progress.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "pull_request.indirect_merge", "description": "A pull request was considered merged because the pull request's commits were merged into the target branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request.merge", "description": "A pull request was merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request" }, { "action": "pull_request.ready_for_review", "description": "A pull request was marked as ready for review.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review" }, { "action": "pull_request.rebase", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "pull_request_url", + "pull_request_title", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request.remove_review_request", "description": "A review request was removed from a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.reopen", "description": "A pull request was reopened after previously being closed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.create", "description": "A review comment was added to a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "comment_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request_review_comment.delete", "description": "A review comment on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "actor", + "@timestamp", + "_document_id", + "repo", + "created_at", + "request_id", + "comment_id", + "actor_id", + "repo_id", + "action", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.update", "description": "A review comment on a pull request was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "request_id", + "actor_id", + "action", + "created_at", + "actor", + "_document_id", + "@timestamp", + "comment_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review.delete", "description": "A review on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request_review.dismiss", "description": "A review on a pull request was dismissed.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review" }, { "action": "pull_request_review.submit", "description": "A review on a pull request was submitted.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.change_merge_setting", "description": "Pull request merge options were changed for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", + "@timestamp", + "_document_id", + "actor_id", + "operation_type", + "action", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { "action": "repo.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { "action": "repo.codeql_disabled", "description": "Code scanning using the default setup was disabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_enabled", "description": "Code scanning using the default setup was enabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "query_suite", + "threat_model", + "languages", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_updated", "description": "Code scanning using the default setup was updated for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "query_suite", + "threat_model", + "languages", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "visibility", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" }, { "action": "repo.create_actions_secret", "description": "A GitHub Actions secret was created for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { "action": "repo.disk_archive", "description": "A repository was archived on disk.", "docs_reference_links": "/repositories/archiving-a-github-repository/archiving-repositories", + "fields": [ + "actor_id", + "repo", + "operation_type", + "@timestamp", + "created_at", + "request_id", + "_document_id", + "repo_id", + "actor", + "action", + "user_agent" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository/archiving-repositories" }, { "action": "repo.download_zip", "description": "A source code archive of a repository was downloaded as a ZIP file.", "docs_reference_links": "/repositories/working-with-files/using-files/downloading-source-code-archives", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/working-with-files/using-files/downloading-source-code-archives" }, { "action": "repo.hide_from_discovery", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_agent", + "org", + "operation_type", + "visibility", + "repo_id", + "created_at", + "actor", + "action", + "@timestamp", + "org_id", + "request_id", + "repo", + "_document_id" + ] }, { "action": "repo.noindex", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo_id", + "request_id", + "action", + "_document_id", + "@timestamp", + "actor_id", + "created_at", + "user", + "operation_type", + "actor", + "user_agent", + "repo", + "user_id", + "public_repo" + ] }, { "action": "repo.override_unlock", "description": "The repository was unlocked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_build", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "action", + "_document_id", + "actor_id", + "repo", + "repo_id", + "operation_type", + "user_agent", + "request_id", + "created_at", + "visibility", + "actor", + "user_id" + ] }, { "action": "repo.pages_cname", "description": "A GitHub Pages custom domain was modified in a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "@timestamp", + "visibility", + "repo", + "repo_id", + "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", + "created_at", + "_document_id", + "action", + "operation_type", + "old_cname", + "programmatic_access_type" + ] }, { "action": "repo.pages_create", "description": "A GitHub Pages site was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "_document_id", + "user_id", + "visibility", + "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", + "actor", + "repo", + "programmatic_access_type" + ] }, { "action": "repo.pages_destroy", "description": "A GitHub Pages site was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "user_id", + "action", + "request_id", + "user", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", + "visibility", + "operation_type", + "repo_id", + "programmatic_access_type" + ] }, { "action": "repo.pages_https_redirect_disabled", "description": "HTTPS redirects were disabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "actor_id", + "repo_id", + "_document_id", + "user_agent", + "actor", + "visibility", + "user_id", + "request_id", + "repo", + "@timestamp", + "operation_type", + "action", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_https_redirect_enabled", "description": "HTTPS redirects were enabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "user_id", + "created_at", + "visibility", + "actor", + "actor_id", + "user", + "operation_type", + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" + ] }, { "action": "repo.pages_private", "description": "A GitHub Pages site visibility was changed to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_public", "description": "A GitHub Pages site visibility was changed to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete", "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete_restore", "description": "A GitHub Pages site that was previously soft-deleted was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_source", "description": "A GitHub Pages source was modified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "repo_id", + "user", + "_document_id", + "request_id", + "visibility", + "repo", + "created_at", + "action", + "programmatic_access_type" + ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.remove_integration_secret", "description": "A Codespaces or Dependabot secret was deleted for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "repo.remove_topic", "description": "A topic was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", + "actor", + "business", + "request_id", + "repo", + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" + ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { "action": "repo.require_login", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "visibility", + "operation_type", + "repo", + "_document_id", + "user", + "user_id", + "actor", + "actor_id", + "user_agent", + "repo_id", + "action", + "@timestamp", + "request_id" + ] }, { "action": "repo.restore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "action", + "_document_id", + "actor_id", + "user", + "operation_type", + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" + ] }, { "action": "repo.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "repo_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "repo.staff_unlock", "description": "An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "created_at", + "actor", + "repo_id", + "action", + "org", + "org_id", + "request_id", + "repo", + "operation_type" + ] }, { "action": "repo.temporary_access_granted", "description": "Temporary access was enabled for a repository.", "docs_reference_links": "/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing user-owned repositories in your enterprise" }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { "action": "repo.transfer_outgoing", "description": "A repository was transferred to another repository network.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.transfer_start", "description": "A user sent a request to transfer a repository to another user or organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "operation_type", + "user_id", + "request_id", + "user", + "action", + "user_agent", + "created_at", + "actor", + "visibility", + "repo_id", + "actor_id", + "repo", + "request_access_security_header" + ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.update_actions_access_settings", "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "old_policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.update_actions_settings", "description": "A repository administrator changed GitHub Actions policy settings for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.update_default_branch", "description": "The default branch for a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.update_member", "description": "A user's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "_document_id", + "actor", + "repo_id", + "created_at", + "oauth_application_id", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", + "visibility", + "old_permission", + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_branch_protection_evaluation.disable", "description": "Branch protections were disabled for the repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_branch_protection_evaluation.enable", "description": "Branch protections were enabled for this repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_image.create", "description": "An image to represent a repository was uploaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", + "action", + "request_id", + "actor", + "content_type", + "repo", + "@timestamp", + "_document_id", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "repository_image.destroy", "description": "An image to represent a repository was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", + "_document_id", + "actor", + "repo_id", + "user_agent", + "repo", + "user", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "repository_invitation.accept", "description": "An invitation to join a repository was accepted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "created_at", + "request_id", + "repo", + "invitee", + "operation_type", + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.cancel", "description": "An invitation to join a repository was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "inviter", + "action", + "operation_type", + "_document_id", + "repo_id", + "repo", + "@timestamp", + "user_agent", + "invitee", + "created_at", + "request_id", + "actor", + "actor_id", + "request_access_security_header" + ] }, { "action": "repository_invitation.create", "description": "An invitation to join a repository was sent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", + "repo", + "created_at", + "user_agent", + "repo_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.reject", "description": "An invitation to join a repository was declined.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "_document_id", + "actor", + "invitee", + "action", + "@timestamp", + "request_id", + "actor_id", + "operation_type", + "created_at", + "inviter", + "user_agent", + "repo_id" + ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { "action": "repository_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning.disable", "description": "Secret scanning was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "public_repo", + "programmatic_access_type" + ], "docs_reference_titles": "About secret scanning" }, { "action": "repository_secret_scanning.enable", "description": "Secret scanning was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "repository_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.disable", "description": "Secret scanning push protection was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.enable", "description": "Secret scanning push protection was enabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "restrict_notification_delivery.disable", "description": "Email notification restrictions for an organization or enterprise were disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "restrict_notification_delivery.enable", "description": "Email notification restrictions for an organization or enterprise were enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "secret_scanning_alert.create", "description": "GitHub detected a secret and created a secret scanning alert.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning_alert.reopen", "description": "A secret scanning alert was reopened.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type_display_name" + ] }, { "action": "secret_scanning_alert.resolve", "description": "A secret scanning alert was resolved.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "resolution", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_access_security_header" + ] }, { "action": "secret_scanning_alert.revoke", "description": "A secret scanning alert was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "secret_scanning_alert.validate", "description": "A secret scanning alert was validated.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "previous_validity", + "current_validity", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning.disable", "description": "Secret scanning was disabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning.enable", "description": "Secret scanning was enabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.disable", "description": "Secret scanning was disabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.enable", "description": "Secret scanning was enabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_push_protection.bypass", "description": "Triggered when a user bypasses the push protection on a secret detected by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#bypassing-push-protection-for-a-secret", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "push_protection_bypass_reason", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_reviewer", + "request_reviewer_id" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.approve", "description": "A request to bypass secret scanning push protection was approved by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.deny", "description": "A request to bypass secret scanning push protection was denied by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header", + "request_reviewer_comment" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.request", "description": "A user requested to bypass secret scanning push protection.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "security_key.register", "description": "A security key was registered for an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "created_at", + "user_id", + "action", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user_agent", + "request_access_security_header" + ] }, { "action": "security_key.remove", "description": "A security key was removed from an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "operation_type", + "_document_id", + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "action", + "created_at", + "user", + "request_access_security_header" + ] }, { "action": "sponsors.agreement_sign", "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.fiscal_host_change", "description": "The fiscal host for a GitHub Sponsors listing was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_disable", "description": "A GitHub Sponsors account was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { "action": "sponsors.sponsored_developer_redraft", "description": "A GitHub Sponsors account was returned to draft state from approved state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id", + "actor", + "actor_id", + "user_id" + ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsored_developer_update_newsletter_send", "description": "Triggered when you send an email update to your sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors", + "fields": [ + "request_id", + "actor", + "action", + "user_agent", + "operation_type", + "_document_id", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { "action": "sponsors.update_tier_repository", "description": "A GitHub Sponsors tier changed access for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.update_tier_welcome_message", "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.waitlist_join", "description": "You join the waitlist to join GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "request_id", + "actor", + "user_id", + "user_agent", + "actor_id", + "action", + "operation_type", + "created_at", + "user", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.withdraw_agreement_signature", "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ssh_certificate_authority.create", "description": "An SSH certificate authority for an organization or enterprise was created.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "@timestamp", + "_document_id", + "fingerprint", + "operation_type", + "openssh_public_key", + "org_id", + "actor", + "created_at", + "org", + "action", + "user_agent", + "actor_id", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_authority.destroy", "description": "An SSH certificate authority for an organization or enterprise was deleted.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "created_at", + "_document_id", + "fingerprint", + "operation_type", + "actor", + "org_id", + "openssh_public_key", + "org", + "action", + "user_agent", + "actor_id", + "@timestamp", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.disable", "description": "The requirement for members to use SSH certificates to access an organization resources was disabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "user", + "user_agent", + "operation_type", + "_document_id", + "request_id", + "org", + "org_id", + "created_at", + "actor", + "action", + "user_id", + "business", + "business_id", + "@timestamp", + "actor_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.enable", "description": "The requirement for members to use SSH certificates to access an organization resources was enabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "actor_id", + "user_id", + "org", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user", + "action", + "org_id", + "created_at", + "user_agent" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "staff.set_domain_token_expiration", "description": "The verification code expiry time for an organization or enterprise domain was set.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "business_id", + "token_expires_at", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "staff.unverify_domain", "description": "An organization or enterprise domain was unverified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "staff.verify_domain", "description": "An organization or enterprise domain was verified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "domain_name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "successor_invitation.accept", "description": "Triggered when you accept a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.cancel", "description": "Triggered when you cancel a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.create", "description": "Triggered when you create a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.decline", "description": "Triggered when you decline a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "successor_invitation.revoke", "description": "Triggered when you revoke a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "team.add_member", "description": "A member of an organization was added to a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team", + "fields": [ + "user_agent", + "request_id", + "org_id", + "user_id", + "team", + "user", + "@timestamp", + "actor_id", + "created_at", + "operation_type", + "_document_id", + "org", + "action", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team" }, { "action": "team.add_repository", "description": "A team was given access and permissions to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "team", + "action", + "operation_type", + "request_id", + "created_at", + "@timestamp", + "org", + "repo", + "actor_id", + "_document_id", + "repo_id", + "user_agent", + "org_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "team.change_parent_team", "description": "A child team was created or a child team's parent was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy", + "fields": [ + "org", + "@timestamp", + "created_at", + "_document_id", + "team", + "action", + "operation_type", + "actor", + "request_id", + "actor_id", + "user_agent", + "org_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy" }, { "action": "team.change_privacy", "description": "A team's privacy level was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/changing-team-visibility", + "fields": [ + "user_agent", + "request_id", + "org", + "action", + "team", + "created_at", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "actor", + "_document_id" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility" }, { "action": "team.create", "description": "A new team is created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "org_id", + "user_agent", + "team", + "org", + "actor", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "team.demote_maintainer", "description": "A user was demoted from a team maintainer to a team member.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member" }, { "action": "team.destroy", "description": "A team was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "team", + "org_id", + "actor_id", + "actor", + "action", + "@timestamp", + "user_agent", + "request_id", + "operation_type", + "_document_id", + "programmatic_access_type" + ] }, { "action": "team_discussions.clear", "description": "An organization owner cleared the setting to allow team discussions for an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "business_id", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "actor_id", + "user", + "business", + "action", + "request_id", + "created_at", + "user_id", + "_document_id" + ] }, { "action": "team_discussions.disable", "description": "Team discussions were disabled for an organization.", "docs_reference_links": "/organizations/organizing-members-into-teams/disabling-team-discussions-for-your-organization", + "fields": [ + "org_id", + "action", + "operation_type", + "request_id", + "actor", + "org", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "_document_id" + ], "docs_reference_titles": "Organizations and teams documentation" }, { "action": "team_discussions.enable", "description": "Team discussions were enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "@timestamp", + "action", + "_document_id", + "user_agent", + "user_id", + "business_id", + "request_id", + "user", + "business", + "operation_type", + "actor", + "created_at" + ] }, { "action": "team.promote_maintainer", "description": "A user was promoted from a team member to a team maintainer.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer" }, { "action": "team.remove_member", "description": "An organization member was removed from a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team", + "fields": [ + "request_id", + "operation_type", + "created_at", + "actor_id", + "org", + "org_id", + "team", + "user_id", + "actor", + "user", + "action", + "@timestamp", + "user_agent", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team" }, { "action": "team.remove_repository", "description": "A repository was removed from a team's control.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "org_id", + "repo", + "repo_id", + "action", + "_document_id", + "actor", + "@timestamp", + "actor_id", + "user_agent", + "created_at", + "team", + "org", + "operation_type", + "programmatic_access_type" + ] }, { "action": "team.rename", "description": "A team's name was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "user_agent", + "created_at", + "team", + "operation_type", + "actor_id", + "org", + "action", + "request_id", + "actor", + "org_id", + "@timestamp", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "team_sync_tenant.disabled", "description": "Team synchronization with a tenant was disabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "action", + "created_at", + "actor", + "request_id", + "org_id", + "actor_id", + "operation_type", + "_document_id", + "@timestamp", + "org", + "user_agent" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team_sync_tenant.enabled", "description": "Team synchronization with a tenant was enabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "org_id", + "business_id", + "actor", + "created_at", + "user_agent", + "@timestamp", + "operation_type", + "business", + "actor_id", + "org", + "request_id", + "action", + "_document_id" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team.update_repository_permission", "description": "A team's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "team", + "org_id", + "@timestamp", + "org", + "_document_id", + "old_permission", + "request_id", + "repo", + "action", + "repo_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "permission", + "new_repo_permission", + "new_repo_base_role", + "old_repo_permission", + "old_repo_base_role", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "trusted_device.register", "description": "A new trusted device was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "trusted_device.remove", "description": "A trusted device was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "two_factor_account_recovery.abort", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "action", + "request_id", + "user_id", + "@timestamp", + "_document_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "two_factor_account_recovery.complete", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "created_at", + "user_id", + "operation_type", + "user", + "_document_id", + "user_agent", + "action" + ] }, { "action": "two_factor_account_recovery.ignore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "created_at", + "user_id", + "operation_type", + "@timestamp", + "user", + "action" + ] }, { "action": "two_factor_account_recovery.staff_approve", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "action", + "_document_id" + ] }, { "action": "two_factor_account_recovery.staff_decline", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user", + "created_at", + "request_id", + "actor_id", + "_document_id" + ] }, { "action": "two_factor_account_recovery.start", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "user_id", + "action", + "_document_id", + "request_access_security_header" + ] }, { "action": "two_factor_account_recovery.two_factor_destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "user", + "_document_id", + "request_id" + ] }, { "action": "two_factor_authentication.add_factor", "description": "A secondary authentication factor was added to a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.disabled", "description": "Two-factor authentication was disabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/disabling-two-factor-authentication-for-your-personal-account", + "fields": [ + "actor", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "actor_id", + "created_at", + "operation_type", + "request_id", + "@timestamp", + "request_access_security_header" + ], "docs_reference_titles": "Disabling two-factor authentication for your personal account" }, { "action": "two_factor_authentication.enabled", "description": "Two-factor authentication was enabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "operation_type", + "user_agent", + "action", + "created_at", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Configuring two-factor authentication" }, { "action": "two_factor_authentication.password_reset_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user", + "user_id", + "action", + "@timestamp", + "request_id", + "_document_id", + "user_agent" + ] }, { "action": "two_factor_authentication.recovery_codes_regenerated", "description": "Two factor recovery codes were regenerated for a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "action", + "user", + "user_agent", + "actor_id", + "@timestamp", + "created_at" + ] }, { "action": "two_factor_authentication.remove_factor", "description": "A secondary authentication factor was removed from a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.sign_in_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "operation_type", + "user_id", + "user", + "user_agent", + "created_at", + "_document_id", + "action", + "@timestamp" + ] }, { "action": "two_factor_authentication.update_fallback", "description": "The two-factor authentication fallback for a user account was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "user", + "user_id", + "operation_type", + "user_agent", + "action", + "request_id", + "actor", + "actor_id" + ] }, { "action": "user.add_email", "description": "An email address was added to a user account.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account", + "fields": [ + "action", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "_document_id", + "actor_id", + "actor", + "email", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account" }, { "action": "user.async_delete", "description": "An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "created_at", + "user", + "@timestamp", + "_document_id", + "request_id", + "actor_id", + "operation_type", + "user_agent", + "action", + "request_access_security_header" + ] }, { "action": "user.audit_log_export", "description": "Audit log entries were exported.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "action", + "request_id", + "actor", + "@timestamp", + "_document_id", + "user_agent", + "user_id", + "operation_type", + "created_at" + ] }, { "action": "user.block_user", "description": "A user was blocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_id", + "_document_id", + "actor_id", + "@timestamp", + "user_agent", + "user", + "request_id", + "blocked_user", + "operation_type", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.change_password", "description": "A user changed their password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "actor", + "user", + "user_id", + "action", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.codespaces_trusted_repo_access_granted", "description": "Triggered when you allow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.codespaces_trusted_repo_access_revoked", "description": "Triggered when you disallow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.correct_password_from_unrecognized_device", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "user_agent", + "created_at", + "user", + "action", + "operation_type", + "request_id", + "user_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.correct_password_from_unrecognized_device_and_location", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "_document_id", + "@timestamp", + "created_at", + "user_agent", + "operation_type", + "request_id", + "user_id", + "action", + "request_access_security_header" + ] }, { "action": "user.correct_password_from_unrecognized_location", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "created_at", + "_document_id", + "user_agent", + "user_id", + "@timestamp", + "user", + "action", + "request_access_security_header" + ] }, { "action": "user.create", "description": "A new user account was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "email", + "user_id", + "operation_type", + "@timestamp", + "request_id", + "user", + "created_at", + "_document_id", + "user_agent", + "actor", + "actor_id", + "action", + "programmatic_access_type" + ] }, { "action": "user.create_integration_secret", "description": "A user secret for Codespaces was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.creation_rate_limit_exceeded", "description": "The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "user_agent", + "_document_id", + "operation_type", + "oauth_application_id", + "action", + "actor", + "actor_id", + "request_id", + "user_id", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.delete", "description": "A user account was destroyed by an asynchronous job.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "user_id", + "actor", + "actor_id", + "user", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.demote", "description": "A site administrator was demoted to an ordinary user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "oauth_application_id", + "action", + "user", + "created_at", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "_document_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.destroy", "description": "A user deleted his or her account, triggering user.async_delete.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "user", + "_document_id", + "created_at", + "user_agent", + "user_id", + "operation_type", + "actor_id", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.device_verification_failure", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user", + "user_agent", + "user_id", + "actor_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.device_verification_requested", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user_id", + "actor", + "operation_type", + "created_at", + "_document_id", + "@timestamp", + "user", + "actor_id", + "action", + "request_access_security_header" + ] }, { "action": "user.device_verification_success", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user", + "_document_id", + "action", + "operation_type", + "user_agent", + "created_at", + "request_id", + "actor", + "actor_id", + "user_id", + "request_access_security_header" + ] }, { "action": "user.disable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user_email.confirm_claim", "description": "An enterprise managed user claimed an email address.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "user_email.mark_as_unclaimed", "description": "N/A", "docs_reference_links": "An enterprise managed user unclaimed an email address.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "An, GitHub Help Documentation, managed, user, unclaimed, an, email, address." }, { "action": "user.enable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.failed_login", "description": "A user tried to sign in with an incorrect username, password, or two-factor authentication code.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "operation_type", + "request_id", + "created_at", + "_document_id", + "@timestamp", + "user", + "org_id", + "actor", + "actor_id", + "user_agent" + ] }, { "action": "user.flag_as_large_scale_contributor", "description": "A user account was flagged as a large scale contributor. Only contributions from public repositories the user owns will be shown in their contribution graph, in order to prevent timeouts.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "operation_type", + "@timestamp", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "user_agent", + "created_at" + ] }, { "action": "user.forgot_password", "description": "A user requested a password reset.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials", + "fields": [ + "action", + "_document_id", + "user_agent", + "request_id", + "user", + "operation_type", + "@timestamp", + "email", + "created_at", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials" }, { "action": "user.grant_github_developer", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "created_at", + "user_agent", + "@timestamp", + "_document_id", + "user", + "user_id", + "actor", + "operation_type", + "request_id" + ] }, { "action": "user.hide_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.login", "description": "A user signed in.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user_id", + "actor_id", + "@timestamp", + "user", + "action", + "operation_type", + "_document_id", + "request_id", + "created_at", + "actor", + "passkey_nickname", + "request_access_security_header" + ] }, { "action": "user.logout", "description": "A user signed out.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.minimize_comment", "description": "A comment made by a user was minimized.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "actor", + "actor_id", + "@timestamp", + "created_at", + "operation_type", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.new_device_used", "description": "A user signed in from a new device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "action", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ] }, { "action": "user.partial_two_factor_email_followup", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "_document_id", + "action", + "@timestamp", + "created_at", + "user", + "request_access_security_header" + ] }, { "action": "user.promote", "description": "An ordinary user account was promoted to a site administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "actor", + "actor_id", + "user", + "@timestamp", + "created_at", + "user_agent", + "oauth_application_id", + "request_id", + "operation_type", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.recreate", "description": "A user's account was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user", + "action", + "actor_id", + "@timestamp", + "_document_id", + "request_id", + "user_id", + "created_at", + "actor", + "operation_type" + ] }, { "action": "user.remove_email", "description": "An email address was removed from a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "@timestamp", + "_document_id", + "request_id", + "user", + "user_id", + "operation_type", + "actor", + "actor_id", + "created_at", + "email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.remove_integration_secret", "description": "A user secret for Codespaces was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.remove_large_scale_contributor_flag", "description": "A user account was no longer flagged as a large scale contributor.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.rename", "description": "A username was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "request_id", + "actor_id", + "old_login", + "created_at", + "_document_id", + "actor", + "user_id", + "@timestamp", + "operation_type", + "user_agent", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.report_abuse", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "user_agent", + "request_id", + "action", + "@timestamp", + "created_at", + "org_id", + "_document_id", + "actor", + "actor_id", + "user", + "operation_type" + ] }, { "action": "user.report_content", "description": "Triggered when you report an issue or pull request, or a comment on an issue, pull request, or commit.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam", + "fields": [ + "org_id", + "request_id", + "user", + "user_agent", + "action", + "created_at", + "actor", + "operation_type", + "actor_id", + "user_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam" }, { "action": "user.reset_password", "description": "A user reset their account password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "user", + "request_id", + "user_id", + "created_at", + "@timestamp", + "_document_id", + "actor", + "operation_type", + "request_access_security_header" + ] }, { "action": "user_session.country_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_id", + "action", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "user.show_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "@timestamp", + "_document_id", + "request_id", + "user_id", + "action", + "actor", + "user", + "operation_type", + "user_agent", + "actor_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.sign_in_from_unrecognized_device", "description": "A user signed in from an unrecognized device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "operation_type", + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.sign_in_from_unrecognized_device_and_location", "description": "A user signed in from an unrecognized device and location.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "request_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.sign_in_from_unrecognized_location", "description": "A user signed in from an unrecognized location.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "action", + "operation_type", + "user_agent", + "user", + "_document_id", + "actor", + "created_at", + "actor_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user_status.destroy", "description": "Triggered when you clear the status on your profile.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_id", + "actor", + "message", + "user", + "actor_id", + "created_at", + "request_id", + "limited_availability", + "action", + "emoji", + "operation_type", + "user_agent", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user_status.update", "description": "Triggered when you set or change the status on your profile.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status", + "fields": [ + "limited_availability", + "user", + "action", + "actor_id", + "message", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "emoji", + "org", + "actor", + "operation_type", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status" }, { "action": "user.suspend", "description": "A user account was suspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "operation_type", + "actor_id", + "user", + "user_agent", + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user_id", + "action", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.toggle_warn_private_email", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user", + "actor_id", + "@timestamp", + "operation_type", + "_document_id", + "user_agent", + "actor", + "action", + "user_id", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_failure", "description": "A 2FA challenge issued for a user account failed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "_document_id", + "user_agent", + "user", + "actor_id", + "actor", + "user_id", + "@timestamp", + "action", + "request_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_success", "description": "A 2FA challenge issued for a user account succeeded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_id", + "operation_type", + "actor_id", + "user", + "actor", + "user_agent", + "request_id", + "action", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_recover", "description": "A user used their 2FA recovery codes.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "user_agent", + "request_id", + "user", + "action", + "actor", + "actor_id", + "created_at", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_downloaded", "description": "A user downloaded 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "actor_id", + "user", + "request_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_printed", "description": "A user printed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "user_agent", + "request_id", + "user_id", + "created_at", + "_document_id", + "actor", + "actor_id", + "@timestamp" + ] }, { "action": "user.two_factor_recovery_codes_viewed", "description": "A user viewed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_agent", + "actor", + "user_id", + "action", + "created_at", + "user", + "operation_type", + "@timestamp", + "request_id", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_requested", "description": "A user was prompted for a two-factor authentication code.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication", + "fields": [ + "user", + "actor_id", + "action", + "user_agent", + "request_id", + "created_at", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "actor" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication" }, { "action": "user.unblock_user", "description": "A user was unblocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "_document_id", + "blocked_user", + "operation_type", + "actor", + "@timestamp", + "user_agent", + "user_id", + "user", + "created_at", + "request_access_security_header" + ] }, { "action": "user.unminimize_comment", "description": "A comment made by a user was unminimized.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user_agent", + "_document_id", + "actor_id", + "user", + "user_id", + "operation_type", + "request_id", + "actor", + "action", + "created_at" + ] }, { "action": "user.unsuspend", "description": "A user account was unsuspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "user", + "action", + "user_agent", + "actor", + "oauth_application_id", + "operation_type", + "actor_id", + "created_at", + "@timestamp", + "user_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.update_integration_secret", "description": "A user secret for Codespaces was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.update_new_repository_default_branch_setting", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.bypass_protection_rules", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "workflows.cancel_workflow_run", "description": "A workflow run was cancelled.", "docs_reference_links": "/actions/managing-workflow-runs/canceling-a-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "cancelled_at", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Canceling a workflow" }, { "action": "workflows.comment_workflow_job", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.completed_workflow_run", "description": "A workflow status changed to completed. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "completed_at", + "conclusion", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Viewing workflow run history" }, { "action": "workflows.created_workflow_run", "description": "A workflow run was create. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/learn-github-actions/understanding-github-actions#create-an-example-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Understanding GitHub Actions" }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { "action": "workflows.disable_workflow", "description": "A workflow was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.enable_workflow", "description": "A workflow was enabled, after previously being disabled by disable_workflow.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "workflows.pin_workflow", "description": "A workflow was pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.prepared_workflow_job", "description": "A workflow job was started. Includes the list of secrets that were provided to the job. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/using-workflows/events-that-trigger-workflows", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "business_id", + "business", + "workflow_run_id", + "job_name", + "runner_labels", + "is_hosted_runner", + "environment_name", + "secrets_passed", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp", + "runner_owner_type", + "job_workflow_ref", + "calling_workflow_refs", + "calling_workflow_shas", + "imposer_repo" + ], "docs_reference_titles": "Events that trigger workflows" }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.rerun_workflow_run", "description": "A workflow run was re-run.", "docs_reference_links": "/actions/managing-workflow-runs/re-running-workflows-and-jobs", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "rerun_type", + "check_run_id", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Re-running workflows and jobs" }, { "action": "workflows.unpin_workflow", "description": "A workflow was unpinned after previously being pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/ghes-3.14/organization.json b/src/audit-logs/data/ghes-3.14/organization.json index 4069aeee131c..6dfb67192a9f 100644 --- a/src/audit-logs/data/ghes-3.14/organization.json +++ b/src/audit-logs/data/ghes-3.14/organization.json @@ -2,3754 +2,15167 @@ { "action": "account.billing_date_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "operation_type", + "user_agent", + "_document_id", + "created_at", + "action", + "request_id", + "actor", + "actor_id", + "org_id" + ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { "action": "actions_cache.delete", "description": "A GitHub Actions cache was deleted using the REST API.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "user_id", + "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "advisory_credit.accept", "description": "Credit was accepted for a security advisory.", "docs_reference_links": "/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory" }, { "action": "advisory_credit.create", "description": "Someone was added to the credit section of a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "advisory_credit.decline", "description": "Credit was declined for a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "advisory_credit.destroy", "description": "Someone was removed from the credit section of a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "artifact.destroy", "description": "A workflow run artifact was manually deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_agent", + "actor_id", + "repo", + "repo_id", + "request_id", + "@timestamp", + "created_at", + "_document_id", + "operation_type", + "programmatic_access_type" + ] }, { "action": "auto_approve_personal_access_token_requests.disable", "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources. See also: personal_access_token.auto_approve_grant_requests_disabled", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization" }, { "action": "auto_approve_personal_access_token_requests.enable", "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval. See also: personal_access_token.auto_approve_grant_requests_enabled", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization" }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.lock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "@timestamp", + "actor_id", + "operation_type", + "_document_id", + "request_id", + "actor", + "user", + "user_id", + "user_agent", + "created_at", + "action" + ] }, { "action": "billing.unlock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "operation_type", + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.delete_logs", "description": "Logs in a check suite were deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "actor_id", + "operation_type", + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" + ] }, { "action": "code.search", "description": "A code search was run targeting an organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/search-github/github-code-search", + "fields": [ + "@timestamp", + "action", + "actor_id", + "business_id", + "query", + "org_id", + "user_id", + "_document_id", + "search_string" + ], "docs_reference_titles": "/search-github/github-code-search" }, { "action": "codespaces.allow_permissions", "description": "A codespace using custom permissions from its devcontainer.json file was launched.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "origin_repository", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.attempted_to_create_from_prebuild", "description": "An attempt to create a codespace from a prebuild was made.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "owner", + "pull_request_id", + "repository", + "repository_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "codespaces.business_enablement_updated", "description": "Enterprise setting for Codespaces ownership was updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enablement", + "organization_names", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization" }, { "action": "codespaces.connect", "description": "Credentials for a codespace were refreshed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { "action": "codespaces.export_environment", "description": "A codespace was exported to a branch on GitHub.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "codespaces.policy_group_created", "description": "Policies were applied to codespaces in an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.policy_group_deleted", "description": "Policies were removed from codespaces in an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "codespaces.policy_group_updated", "description": "Policies were updated for codespaces in an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "codespaces.restore", "description": "A codespace was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.start_environment", "description": "A codespace was started.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "org", + "owner", + "pull_request_id", + "machine_type", + "user_id", + "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "codespaces.suspend_environment", "description": "A codespace was stopped.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "commit_comment.destroy", "description": "A commit comment was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "repo", + "org", + "org_id", + "created_at", + "@timestamp", + "operation_type", + "repo_id", + "actor_id", + "request_id", + "_document_id", + "user_agent", + "action", + "programmatic_access_type" + ] }, { "action": "commit_comment.update", "description": "A commit comment was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "repo_id", + "actor", + "org", + "request_id", + "action", + "@timestamp", + "repo", + "org_id", + "actor_id", + "created_at", + "user_agent", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "copilot.access_revoked", "description": "Copilot access was revoked for the organization or enterprise due to its Copilot subscription ending, an issue with billing the entity, the entity being marked spammy, or the entity being suspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "reason", + "plan", + "org_id", + "owner", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "copilot.cfb_org_settings_changed", "description": "Copilot feature settings were changed at the organization level.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_added", "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { "action": "copilot.cfb_seat_assignment_refreshed", "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_reused", "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_assignment_unassigned", "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "seat_assignment", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled_by_staff", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.cfb_seat_management_changed", "description": "The seat management setting was changed at the organization level to either enable or disable Copilot access for all members of the organization, or to enable Copilot access for selected members or teams.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_value", + "new_value", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "copilot.content_exclusion_changed", "description": "The excluded paths for GitHub Copilot were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "excluded_paths", + "owner_type", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.knowledge_base_created", "description": "A knowledge base was created in the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.knowledge_base_deleted", "description": "A knowledge base was deleted from the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.knowledge_base_updated", "description": "A knowledge base was updated in the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.plan_changed", "description": "The plan for GitHub Copilot was updated.", "docs_reference_links": "/billing/managing-billing-for-github-copilot/about-billing-for-github-copilot", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_plan", + "plan", + "business_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "About billing for GitHub Copilot" }, { "action": "custom_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_property_definition.create", "description": "A new custom property definition was created.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.destroy", "description": "A custom property definition was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id", + "allowed_values" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.update", "description": "A custom property definition was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "value_type", + "required", + "default_value", + "old_allowed_values", + "allowed_values", + "definition_id", + "old_required", + "old_default_value", + "old_value_type", + "old_values_editable_by", + "values_editable_by", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.create", "description": "A repository's custom property value was manually set for the first time.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "definition_id", + "property_name", + "value", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.destroy", "description": "A repository's custom property value was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.update", "description": "A repository's custom property value was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_repository_access.repositories_updated", "description": "The repositories that Dependabot can access were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates.enable", "description": "Dependabot security updates were enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates_new_repos.enable", "description": "Dependabot security updates were enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph.enable", "description": "The dependency graph was enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph_new_repos.enable", "description": "The dependency graph was enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "discussion_comment.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "repo_id", + "request_id", + "action", + "actor", + "org_id", + "_document_id", + "actor_id", + "operation_type", + "@timestamp", + "created_at", + "user_agent", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "discussion_comment.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "@timestamp", + "actor", + "user_agent", + "request_id", + "org", + "_document_id", + "actor_id", + "operation_type", + "created_at", + "repo", + "org_id", + "action", + "request_access_security_header" + ] }, { "action": "discussion.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "user_agent", + "actor_id", + "org_id", + "actor", + "org", + "action", + "operation_type", + "@timestamp", + "request_id", + "title", + "_document_id", + "created_at", + "repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "discussion_post.destroy", "description": "Triggered when a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "request_id", + "team", + "created_at", + "user_id", + "@timestamp", + "number", + "org", + "title", + "actor", + "actor_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.destroy", "description": "Triggered when a reply to a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "actor_id", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user_id", + "actor", + "number", + "user", + "created_at", + "request_id", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.update", "description": "Triggered when a reply to a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "action", + "_document_id", + "request_id", + "org", + "@timestamp", + "actor_id", + "operation_type", + "user", + "user_id", + "org_id", + "user_agent", + "actor", + "number", + "team", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "discussion_post.update", "description": "Triggered when a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "created_at", + "_document_id", + "title", + "user", + "user_agent", + "org", + "operation_type", + "actor_id", + "@timestamp", + "actor", + "team", + "action", + "org_id", + "request_id", + "user_id", + "number" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "enterprise_announcement.create", "description": "A global announcement banner was created for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global-announcement-banner", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.destroy", "description": "A global announcement banner was removed from the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.update", "description": "A global announcement banner was updated for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "old_message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_installation.create", "description": "The GitHub App associated with a GitHub Connect connection was created.", "docs_reference_links": "/admin/configuration/configuring-github-connect/managing-github-connect", + "fields": [ + "created_at", + "operation_type", + "@timestamp", + "_document_id", + "org_id", + "action", + "request_id", + "org", + "actor_id", + "user_agent", + "actor" + ], "docs_reference_titles": "Enabling GitHub Connect for GitHub.com" }, { "action": "enterprise_installation.destroy", "description": "The GitHub App associated with a GitHub Connect connection was deleted.", "docs_reference_links": "/admin/configuration/configuring-github-connect/managing-github-connect", + "fields": [ + "created_at", + "_document_id", + "action", + "@timestamp", + "actor_id", + "actor", + "user_agent", + "org", + "operation_type", + "request_id", + "org_id" + ], "docs_reference_titles": "Enabling GitHub Connect for GitHub.com" }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.delete", "description": "An environment was deleted.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_secret", "description": "A secret was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "git.clone", "description": "A repository was cloned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.fetch", "description": "Changes were fetched from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.push", "description": "Changes were pushed to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "github_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "github_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "github_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "hook.active_changed", "description": "A hook's active status was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "hook.config_changed", "description": "A hook's configuration was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "name", + "org", + "user_agent", + "request_id", + "hook_id", + "repo", + "repo_id", + "created_at", + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { "action": "hook.destroy", "description": "A hook was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", + "operation_type", + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.events_changed", "description": "A hook's configured events were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "operation_type", + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "integration.create", "description": "A GitHub App was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "@timestamp", + "actor", + "user_agent", + "actor_id", + "request_id", + "name", + "user_id", + "_document_id", + "integration", + "created_at", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration.destroy", "description": "A GitHub App was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "actor_id", + "request_id", + "@timestamp", + "name", + "integration", + "user", + "_document_id", + "action", + "operation_type", + "created_at", + "user_agent" + ] }, { "action": "integration.generate_client_secret", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation_request.close", "description": "A request to install a GitHub App was either approved or denied by an owner, or canceled by the member who opened the request.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "url", + "actor", + "actor_id", + "created_at", + "request_id", + "operation_type", + "@timestamp", + "integration", + "action", + "user_agent", + "reason", + "_document_id", + "org", + "org_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation_request.create", "description": "A member requested that an owner install a GitHub App.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "@timestamp", + "actor_id", + "org", + "_document_id", + "requester", + "action", + "user_agent", + "created_at", + "url", + "org_id", + "request_id", + "operation_type", + "actor", + "integration", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { "action": "integration.remove_client_secret", "description": "A client secret for a GitHub App was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "integration.revoke_all_tokens", "description": "All user tokens for a GitHub App were requested to be revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.revoke_tokens", "description": "Token(s) for a GitHub App were revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" }, { "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "ip_allow_list.disable", "description": "An IP allow list was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "actor", + "request_id", + "org", + "user_agent", + "_document_id", + "user_id", + "actor_id", + "created_at", + "org_id", + "action", + "@timestamp", + "user" + ] }, { "action": "ip_allow_list.disable_for_installed_apps", "description": "An IP allow list was disabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list.enable", "description": "An IP allow list was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "business", + "user_id", + "request_id", + "actor", + "user", + "business_id", + "_document_id", + "action", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "org", + "created_at" + ] }, { "action": "ip_allow_list.enable_for_installed_apps", "description": "An IP allow list was enabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list_entry.create", "description": "An IP address was added to an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "active", + "org", + "ip_allow_list_entry", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "actor_id", + "business_id", + "org_id", + "business", + "actor", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.destroy", "description": "An IP address was deleted from an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "ip_allow_list_entry", + "org", + "operation_type", + "created_at", + "active", + "action", + "@timestamp", + "business", + "business_id", + "user_agent", + "org_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.update", "description": "An IP address or its description was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "actor", + "org", + "action", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "ip_allow_list_entry", + "active", + "org_id", + "@timestamp" + ] }, { "action": "issue_comment.destroy", "description": "A comment on an issue was deleted from the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "org", + "repo", + "actor_id", + "@timestamp", + "created_at", + "_document_id", + "action", + "operation_type", + "user_agent", + "repo_id", + "actor", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "issue_comment.update", "description": "A comment on an issue (other than the initial one) changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "action", + "repo_id", + "org_id", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "_document_id", + "actor_id", + "actor", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "issue.destroy", "description": "An issue was deleted from the repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/deleting-an-issue", + "fields": [ + "user", + "actor_id", + "created_at", + "title", + "@timestamp", + "_document_id", + "request_id", + "actor", + "user_id", + "action", + "operation_type", + "user_agent", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting an issue" }, { "action": "issue.pinned", "description": "An issue was pinned to a repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository", + "fields": [ + "_document_id", + "user_agent", + "actor_id", + "created_at", + "action", + "actor", + "operation_type", + "owner_type", + "@timestamp", + "repo_id", + "request_id", + "number", + "repo", + "event", + "user", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "Pinning an issue to your repository" }, { "action": "issue.transfer", "description": "An issue was transferred to another repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/transferring-an-issue-to-another-repository", + "fields": [ + "user", + "user_id", + "@timestamp", + "user_agent", + "owner_type", + "actor_id", + "number", + "repo", + "operation_type", + "_document_id", + "repo_id", + "action", + "request_id", + "created_at", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "Transferring an issue to another repository" }, { "action": "issue.unpinned", "description": "An issue was unpinned from a repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository", + "fields": [ + "event", + "user_agent", + "actor_id", + "repo_id", + "actor", + "action", + "created_at", + "request_id", + "repo", + "operation_type", + "_document_id", + "number", + "owner_type", + "@timestamp", + "user", + "user_id", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Pinning an issue to your repository" }, { "action": "issues.deletes_disabled", "description": "The ability for enterprise members to delete issues was disabled Members cannot delete issues in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "user_agent", + "action", + "@timestamp", + "operation_type", + "request_id", + "actor_id", + "user_id", + "created_at", + "_document_id", + "actor", + "user", + "org", + "org_id" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "issues.deletes_enabled", "description": "The ability for enterprise members to delete issues was enabled Members can delete issues in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "operation_type" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "issues.deletes_policy_cleared", "description": "An enterprise owner cleared the policy setting for allowing members to delete issues in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "user", + "request_id", + "actor", + "business_id", + "action", + "operation_type", + "user_agent", + "created_at", + "@timestamp", + "_document_id", + "business", + "user_id", + "actor_id" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "marketplace_agreement_signature.create", "description": "The GitHub Marketplace Developer Agreement was signed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "actor_id", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "created_at", + "action", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "marketplace_listing.approve", "description": "A listing was approved for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "secondary_category", + "actor", + "primary_category", + "user", + "@timestamp", + "_document_id", + "user_id", + "user_agent", + "operation_type", + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" + ] }, { "action": "marketplace_listing.change_category", "description": "A category for a listing for an app in GitHub Marketplace was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", + "@timestamp", + "integration", + "org_id", + "action", + "org", + "secondary_category", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ] }, { "action": "marketplace_listing.create", "description": "A listing for an app in GitHub Marketplace was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", + "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", + "actor", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "marketplace_listing.delist", "description": "A listing was removed from GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "created_at", + "secondary_category", + "operation_type", + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" + ] }, { "action": "marketplace_listing.redraft", "description": "A listing was sent back to draft state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", + "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", + "actor", + "created_at", + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" + ] }, { "action": "marketplace_listing.reject", "description": "A listing was not accepted for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "members_can_create_pages.disable", "description": "The ability for members to publish GitHub Pages sites was disabled.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_pages.enable", "description": "The ability for members to publish GitHub Pages sites was enabled.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_private_pages.disable", "description": "The ability for members to publish private GitHub Pages was disabled Members cannot publish private GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_private_pages.enable", "description": "The ability for members to publish private GitHub Pages was enabled Members can publish private GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_public_pages.disable", "description": "The ability for members to publish public GitHub Pages was disabled Members cannot publish public GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_public_pages.enable", "description": "The ability for members to publish public GitHub Pages was enabled Members can publish public GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_delete_repos.clear", "description": "An enterprise owner cleared the policy setting for deleting or transferring repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "_document_id", + "request_id", + "user", + "user_id", + "business", + "operation_type", + "user_agent", + "actor", + "actor_id", + "business_id", + "@timestamp", + "created_at", + "action" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_delete_repos.disable", "description": "The ability for enterprise members to delete repositories was disabled Members cannot delete or transfer repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "request_id", + "org", + "_document_id", + "actor_id", + "user", + "user_id", + "user_agent", + "actor", + "operation_type", + "org_id", + "action", + "@timestamp", + "created_at" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_delete_repos.enable", "description": "The ability for enterprise members to delete repositories was enabled Members can delete or transfer repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "action", + "org_id", + "user_id", + "business", + "actor_id", + "@timestamp", + "_document_id", + "request_id", + "user", + "business_id", + "created_at", + "actor", + "org", + "operation_type", + "user_agent" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_view_dependency_insights.clear", "description": "An enterprise owner cleared the policy setting for viewing dependency insights in any organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "created_at", + "request_id", + "actor", + "action", + "operation_type" + ] }, { "action": "members_can_view_dependency_insights.disable", "description": "The ability for enterprise members to view dependency insights was disabled. Members cannot view dependency insights in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-dependency-insights-in-your-enterprise", + "fields": [ + "business", + "created_at", + "user_id", + "business_id", + "user", + "org", + "operation_type", + "request_id", + "actor", + "_document_id", + "action", + "user_agent", + "actor_id", + "org_id", + "@timestamp" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "members_can_view_dependency_insights.enable", "description": "The ability for enterprise members to view dependency insights was enabled. Members can view dependency insights in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-dependency-insights-in-your-enterprise", + "fields": [ + "request_id", + "created_at", + "_document_id", + "user_agent", + "user", + "user_id", + "business", + "business_id", + "operation_type", + "@timestamp", + "action", + "actor", + "actor_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "merge_queue.pull_request_dequeued", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "merge_queue.pull_request_queue_jump", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.queue_cleared", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.update_settings", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "metered_billing_configuration.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "_document_id", + "user_id", + "action", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "metered_billing_configuration.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "metered_billing_configuration.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "org", + "created_at", + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" + ] }, { "action": "migration.create", "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org_id", + "_document_id", + "org", + "repo_id", + "action", + "actor", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "migration.destroy_file", "description": "A migration file for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "org_id", + "action", + "operation_type", + "created_at", + "repo", + "_document_id", + "repo_id", + "request_access_security_header" + ] }, { "action": "migration.download", "description": "A migration file for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance was downloaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "org_id", + "request_id", + "oauth_application_id", + "repo_id", + "operation_type", + "@timestamp", + "user_agent", + "created_at", + "org", + "action", + "_document_id", + "repo", + "actor", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "network_configuration.create", "description": "A network configuration for a hosted compute service was created.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "selected_service", + "network_settings_ids", + "previous_settings_ids", + "network_configuration_id" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "network_configuration.delete", "description": "A network configuration for a hosted compute service was deleted.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "network_configuration_id" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "network_configuration.update", "description": "A network configuration for a hosted compute service was updated.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "selected_service", + "network_settings_ids", + "previous_settings_ids" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.generate_client_secret", "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "org.accept_business_invitation", "description": "An invitation sent to an organization to join an enterprise was accepted.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.add_billing_manager", "description": "A billing manager was added to an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization", + "fields": [ + "operation_type", + "_document_id", + "user_agent", + "org", + "user_id", + "action", + "created_at", + "org_id", + "user", + "actor", + "actor_id", + "@timestamp", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization" }, { "action": "org.add_member", "description": "A user joined an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "permission", + "_document_id", + "org", + "operation_type", + "request_id", + "actor", + "user", + "@timestamp", + "created_at", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "org.add_outside_collaborator", "description": "An outside collaborator was added to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "inviter", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.add_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.advanced_security_disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_disabled_on_all_repos", "description": "GitHub Advanced Security was disabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_on_all_repos", "description": "GitHub Advanced Security was enabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_policy_selected_member_disabled", "description": "An enterprise owner prevented GitHub Advanced Security features from being enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_enabled", "description": "An enterprise owner allowed GitHub Advanced Security features to be enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.allow_third_party_access_requests_from_outside_collaborators_disabled", "description": "Third-party application access for outside collaborators was disabled for the organization.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests" }, { "action": "org.allow_third_party_access_requests_from_outside_collaborators_enabled", "description": "Third-party application access for outside collaborators was enabled for the organization.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests" }, { "action": "org.archive", "description": "The organization was archived.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.audit_log_export", "description": "An export of the organization audit log was created. If the export included a query, the log will list the query used and the number of audit log entries matching that query.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log", + "fields": [ + "org_id", + "operation_type", + "@timestamp", + "request_id", + "_document_id", + "actor", + "org", + "action", + "created_at", + "user_agent", + "actor_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log" }, { "action": "org.audit_log_git_event_export", "description": "An export of the organization's Git events was created.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "start", + "end", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization" }, { "action": "org.billing_signup_error", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_agent", + "action", + "@timestamp", + "actor_id", + "org_id", + "_document_id", + "actor", + "org", + "operation_type" + ] }, { "action": "org.block_user", "description": "An organization owner blocked a user from accessing the organization's repositories.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization", + "fields": [ + "actor", + "user_agent", + "org_id", + "created_at", + "_document_id", + "blocked_user", + "action", + "operation_type", + "actor_id", + "org", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization" }, { "action": "org.cancel_business_invitation", "description": "An invitation for an organization to join an enterprise was revoked", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "initiated_from" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.cancel_invitation", "description": "An invitation sent to a user to join an organization was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "org_id", + "request_id", + "email", + "@timestamp", + "actor", + "action", + "operation_type", + "user_agent", + "org", + "invitation_id", + "_document_id", + "created_at", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.clear_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "org.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.codeql_disabled", "description": "Code scanning using the default setup was disabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codeql_enabled", "description": "Code scanning using the default setup was enabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codespaces_access_updated", "description": "Access to use Codespaces on internal and private repositories was updated for an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/enabling-or-disabling-github-codespaces-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enablement", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/enabling-or-disabling-github-codespaces-for-your-organization" }, { "action": "org.codespaces_ownership_updated", "description": "Ownership and payment for codespaces was updated for an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner_type", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization" }, { "action": "org.codespaces_team_access_allowed", "description": "A team has been allowed to use Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.codespaces_team_access_revoked", "description": "A team has been prevented from using Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.codespaces_trusted_repo_access_granted", "description": "GitHub Codespaces was granted trusted repository access to all other repositories in an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "org.codespaces_trusted_repo_access_revoked", "description": "GitHub Codespaces trusted repository access to all other repositories in an organization was revoked.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "org.codespaces_user_access_allowed", "description": "A user has been allowed to use Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.codespaces_user_access_revoked", "description": "A user has been prevented from using Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.config.disable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "request_id", + "org", + "action", + "operation_type", + "_document_id", + "actor", + "actor_id", + "@timestamp", + "user_agent", + "org_id", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "operation_type", + "@timestamp", + "created_at", + "user_agent", + "action", + "actor_id", + "org", + "_document_id", + "actor", + "org_id", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "_document_id", + "operation_type", + "actor_id", + "org_id", + "action", + "created_at", + "actor", + "org", + "@timestamp", + "user_agent", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "actor", + "org", + "org_id", + "request_id", + "operation_type", + "action", + "user_agent" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor", + "actor_id", + "org_id", + "action", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "org", + "created_at", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor_id", + "request_id", + "action", + "created_at", + "user_agent", + "actor", + "_document_id", + "org_id", + "operation_type", + "org", + "@timestamp" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.confirm_business_invitation", "description": "An invitation for an organization to join an enterprise was confirmed.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.connect_usage_metrics_export", "description": "Server statistics were exported for the organization.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/analyzing-how-your-team-works-with-server-statistics/exporting-server-statistics", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Exporting Server Statistics" }, { "action": "org.create", "description": "An organization was created.", "docs_reference_links": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch", + "fields": [ + "request_id", + "org", + "actor_id", + "actor", + "action", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "org_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch" }, { "action": "org.create_actions_secret", "description": "A GitHub Actions secret was created for an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.create_actions_variable", "description": "A GitHub Actions variable was created for an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "org.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org_credential_authorization.deauthorize", "description": "A member removed the SSO (SAML or OIDC) authorization from a credential that had access to your organization.", "docs_reference_links": "/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor_id", + "org_id", + "business", + "action", + "@timestamp", + "org", + "_document_id", + "business_id", + "actor", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "oauth_credential_type", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Authorizing a personal access token for use with single sign-on" }, { "action": "org_credential_authorization.grant", "description": "A member authorized credentials for use with SAML or OIDC single sign-on.", "docs_reference_links": "/authentication/authenticating-with-saml-single-sign-on", + "fields": [ + "user_agent", + "actor", + "@timestamp", + "created_at", + "org_id", + "business_id", + "operation_type", + "request_id", + "_document_id", + "action", + "actor_id", + "business", + "org", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "oauth_credential_type", + "request_access_security_header", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Authenticating with single sign-on" }, { "action": "org_credential_authorization.revoke", "description": "An owner revoked authorized credentials.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization", + "fields": [ + "actor", + "org", + "@timestamp", + "owner", + "oauth_application_id", + "org_id", + "operation_type", + "action", + "business", + "request_id", + "created_at", + "business_id", + "actor_id", + "_document_id", + "user_agent", + "oauth_credential_type", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.disable_member_team_creation_permission", "description": "Team creation was limited to owners.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "actor", + "@timestamp", + "_document_id", + "user", + "user_id", + "action", + "created_at", + "actor_id", + "user_agent", + "org", + "org_id", + "operation_type", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.disable_oauth_app_restrictions", "description": "Third-party application access restrictions for an organization were disabled.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "fields": [ + "actor_id", + "org_id", + "action", + "_document_id", + "request_id", + "@timestamp", + "actor", + "org", + "operation_type", + "user_agent", + "created_at" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization" }, { "action": "org.disable_reader_discussion_creation_permission", "description": "An organization owner limited discussion creation to users with at least triage permission in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.disable_saml", "description": "SAML single sign-on was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "sso_url", + "issuer", + "action", + "@timestamp", + "_document_id", + "created_at", + "org", + "operation_type" + ] }, { "action": "org.disable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the organization was disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" }, { "action": "org.disable_two_factor_requirement", "description": "A two-factor authentication requirement was disabled for the organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "org_id", + "action", + "actor", + "actor_id", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "user_agent" + ] }, { "action": "org.display_commenter_full_name_disabled", "description": "An organization owner disabled the display of a commenter's full name in an organization. Members cannot see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "user", + "action", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "user_agent", + "org", + "actor_id", + "org_id", + "request_id" + ] }, { "action": "org.display_commenter_full_name_enabled", "description": "An organization owner enabled the display of a commenter's full name in an organization. Members can see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_agent", + "request_id", + "actor", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "user", + "action", + "actor_id", + "org_id" + ] }, { "action": "org.enable_member_team_creation_permission", "description": "Team creation by members was allowed.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "org_id", + "user", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "user_agent", + "actor_id", + "org", + "request_id", + "action", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.enable_oauth_app_restrictions", "description": "Third-party application access restrictions for an organization were enabled.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization", + "fields": [ + "actor_id", + "operation_type", + "org", + "created_at", + "_document_id", + "actor", + "org_id", + "action", + "user_agent", + "request_id", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization" }, { "action": "org.enable_reader_discussion_creation_permission", "description": "An organization owner allowed users with read access to create discussions in an organization", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.enable_saml", "description": "SAML single sign-on was enabled for the organization.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization", + "fields": [ + "actor_id", + "action", + "operation_type", + "actor", + "sso_url", + "org", + "created_at", + "@timestamp", + "issuer", + "org_id", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Enabling and testing SAML single sign-on for your organization" }, { "action": "org.enable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the organization was enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" }, { "action": "org.enable_two_factor_requirement", "description": "Two-factor authentication is now required for the organization.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "actor_id", + "action", + "_document_id", + "org", + "@timestamp", + "actor", + "user_agent", + "org_id", + "operation_type", + "created_at", + "request_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.integration_manager_added", "description": "An organization owner granted a member access to manage all GitHub Apps owned by an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "org_id", + "manager", + "@timestamp", + "request_id", + "actor", + "operation_type", + "_document_id", + "actor_id", + "org", + "action", + "created_at" + ] }, { "action": "org.integration_manager_removed", "description": "An organization owner removed access to manage all GitHub Apps owned by an organization from an organization member.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "@timestamp", + "org", + "user_agent", + "request_id", + "action", + "actor", + "actor_id", + "manager", + "operation_type", + "created_at", + "_document_id" + ] }, { "action": "org.invite_member", "description": "A new user was invited to join an organization.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization", + "fields": [ + "org", + "user_id", + "invitation_id", + "org_id", + "user", + "action", + "operation_type", + "_document_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "actor_id", + "request_id", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization" }, { "action": "org.invite_to_business", "description": "An organization was invited to join an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.members_can_update_protected_branches.disable", "description": "The ability for enterprise members to update protected branches was disabled. Only enterprise owners can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "org.members_can_update_protected_branches.enable", "description": "The ability for enterprise members to update protected branches was enabled. Members of an organization can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "org_id", + "user_agent", + "actor_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "request_id", + "_document_id", + "actor", + "user", + "action" + ] }, { "action": "org.oauth_app_access_approved", "description": "Access to an organization was granted for an OAuth App.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization", + "fields": [ + "url", + "actor", + "user_agent", + "request_id", + "actor_id", + "operation_type", + "org_id", + "_document_id", + "org", + "action", + "created_at", + "@timestamp", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization" }, { "action": "org.oauth_app_access_blocked", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "url", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.oauth_app_access_denied", "description": "Access was disabled for an OAuth App that was previously approved.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization", + "fields": [ + "request_id", + "url", + "created_at", + "org_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "org", + "operation_type", + "actor", + "actor_id", + "oauth_application_name" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization" }, { "action": "org.oauth_app_access_requested", "description": "An organization member requested that an owner grant an OAuth App access to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "_document_id", + "request_id", + "url", + "org_id", + "action", + "@timestamp", + "org", + "request_access_security_header", + "oauth_application_name" + ] }, { "action": "org.oauth_app_access_unblocked", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "url", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.rate_limited_invites", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "org_id", + "action", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org" + ] }, { "action": "org.recovery_code_failed", "description": "An organization owner failed to sign into a organization with an external identity provider (IdP) using a recovery code.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "reason", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing your organization if your identity provider is unavailable" }, { "action": "org.recovery_code_used", "description": "An organization owner successfully signed into an organization with an external identity provider (IdP) using a recovery code.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Accessing your organization if your identity provider is unavailable" }, { "action": "org.recovery_codes_downloaded", "description": "An organization owner downloaded the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_generated", "description": "An organization owner generated the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_printed", "description": "An organization owner printed the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_viewed", "description": "An organization owner viewed the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization", + "fields": [ + "actor", + "operation_type", + "@timestamp", + "_document_id", + "request_id", + "org", + "org_id", + "action", + "created_at", + "user_agent", + "actor_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "org.remove_actions_secret", "description": "A GitHub Actions secret was removed from an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.remove_actions_variable", "description": "A GitHub Actions variable was removed from an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "org.remove_billing_manager", "description": "A billing manager was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "user_id", + "user_agent", + "org_id", + "user", + "action", + "_document_id", + "operation_type", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "created_at" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.remove_integration_secret", "description": "A Codespaces or Dependabot secret was removed from an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.remove_member", "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "actor_id", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", + "created_at", + "user", + "operation_type", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.remove_outside_collaborator", "description": "An outside collaborator was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user", + "org_id", + "created_at", + "request_id", + "@timestamp", + "action", + "operation_type", + "user_agent", + "_document_id", + "actor", + "actor_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "org.remove_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization", + "fields": [ + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor_id", + "org", + "created_at", + "actor", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "org.rename", "description": "An organization was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "@timestamp", + "org", + "action", + "actor", + "old_login", + "org_id", + "request_id", + "actor_id", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "org.required_workflow_create", "description": "Triggered when a required workflow is created.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.required_workflow_delete", "description": "Triggered when a required workflow is deleted.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.required_workflow_update", "description": "Triggered when a required workflow is updated.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.restore_member", "description": "An organization member was restored.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization", + "fields": [ + "user", + "actor", + "user_id", + "_document_id", + "action", + "created_at", + "org_id", + "operation_type", + "request_id", + "@timestamp", + "user_agent", + "org", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization" }, { "action": "org.revoke_external_identity", "description": "A member's linked identity was revoked.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity", + "fields": [ + "actor", + "org", + "org_id", + "user", + "operation_type", + "user_id", + "@timestamp", + "action", + "actor_id", + "user_agent", + "_document_id", + "request_id", + "created_at" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.revoke_sso_session", "description": "A member's SAML session was revoked.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity", + "fields": [ + "actor_id", + "created_at", + "user", + "action", + "operation_type", + "@timestamp", + "org", + "org_id", + "user_agent", + "request_id", + "actor", + "user_id", + "_document_id" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.runner_group_created", "description": "A self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_removed", "description": "A self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_renamed", "description": "A self-hosted runner group was renamed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runner_removed", "description": "The REST API was used to remove a self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "org.runner_group_runners_added", "description": "A self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runners_updated", "description": "A runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "org.runner_group_updated", "description": "The configuration of a self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_visiblity_updated", "description": "The visibility of a self-hosted runner group was updated via the REST API.", "docs_reference_links": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "visibility", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_generic_secrets.disabled", "description": "Generic secrets have been disabled at the organization level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "org_secret_scanning_generic_secrets.enabled", "description": "Generic secrets have been enabled at the organization level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "org_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_disabled", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_enabled", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_updated", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_disable", "description": "Push protection for secret scanning was disabled.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_enable", "description": "Push protection for secret scanning was enabled.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_disable", "description": "Push protection for secret scanning was disabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_enable", "description": "Push protection for secret scanning was enabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "org.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "org_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { "action": "org.set_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "org_id", + "operation_type", + "actor", + "actor_id", + "@timestamp", + "request_id", + "created_at", + "org", + "action" + ] }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "org.sso_response", "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "user_agent", + "actor", + "actor_id", + "org_id", + "@timestamp", + "org", + "issuer", + "business", + "operation_type", + "created_at", + "request_id", + "business_id", + "_document_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.transfer", "description": "An organization was transferred between enterprise accounts.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "from_business", + "to_business", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.transfer_outgoing", "description": "An organization was transferred between enterprise accounts.", "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "business", + "business_id", + "from_business", + "to_business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.unarchive", "description": "The organization was unarchived.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.unblock_user", "description": "A user was unblocked from an organization.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization", + "fields": [ + "oauth_application_id", + "_document_id", + "blocked_user", + "action", + "operation_type", + "@timestamp", + "request_id", + "created_at", + "actor", + "actor_id", + "org", + "org_id", + "user_agent" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization" }, { "action": "org.update_actions_secret", "description": "A GitHub Actions secret was updated for an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "created_at", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.update_actions_settings", "description": "An organization owner or site administrator updated GitHub Actions policy settings for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "updated_allowed_types", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization" }, { "action": "org.update_actions_variable", "description": "A GitHub Actions variable was updated for an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "org.update_default_repository_permission", "description": "The default repository permission level for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "operation_type", + "created_at", + "org", + "org_id", + "request_id", + "@timestamp", + "user_agent", + "permission", + "actor_id", + "old_permission", + "_document_id", + "programmatic_access_type" + ] }, { "action": "org.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "org.update_member", "description": "A person's role was changed from owner to member or member to owner.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "org_id", + "created_at", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "actor_id", + "old_permission", + "permission", + "actor", + "user_agent", + "operation_type", + "org" + ] }, { "action": "org.update_member_repository_creation_permission", "description": "The create repository permission for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "@timestamp", + "request_id", + "actor_id", + "permission", + "created_at", + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" + ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "org.update_new_repository_default_branch_setting", "description": "The name of the default branch was changed for new repositories in the organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization" }, { "action": "org.update_repo_self_hosted_runners_policy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_repo_runners_policy", + "new_repo_runners_policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.update_saml_provider_settings", "description": "An organization's SAML provider settings were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "sso_url", + "actor_id", + "operation_type", + "@timestamp", + "issuer", + "org", + "_document_id", + "actor", + "org_id", + "created_at", + "request_id", + "action" + ] }, { "action": "org.update_terms_of_service", "description": "An organization changed between the Standard Terms of Service and the GitHub Customer Agreement.", "docs_reference_links": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement", + "fields": [ + "request_id", + "org_id", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org", + "action", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement" }, { "action": "organization_default_label.create", "description": "A default label was created for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#creating-a-default-label", + "fields": [ + "request_id", + "actor_id", + "actor", + "org", + "org_id", + "operation_type", + "_document_id", + "action", + "created_at", + "@timestamp", + "user_agent", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#creating-a-default-label" }, { "action": "organization_default_label.destroy", "description": "A default label was deleted for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#deleting-a-default-label", + "fields": [ + "operation_type", + "request_id", + "actor", + "@timestamp", + "_document_id", + "actor_id", + "org_id", + "org", + "action", + "created_at", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#deleting-a-default-label" }, { "action": "organization_default_label.update", "description": "A default label was edited for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#editing-a-default-label", + "fields": [ + "org", + "created_at", + "@timestamp", + "actor", + "action", + "user_agent", + "actor_id", + "org_id", + "operation_type", + "request_id", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#editing-a-default-label" }, { "action": "organization_domain.approve", "description": "A domain was approved for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization" }, { "action": "organization_domain.create", "description": "A domain was added to an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "created_at", + "_document_id", + "domain_name", + "action", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "user_agent", + "actor" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "organization_domain.destroy", "description": "A domain was removed from an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain", + "fields": [ + "action", + "domain_name", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "created_at" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain" }, { "action": "organization_domain.verify", "description": "A domain was verified for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "operation_type", + "domain_name", + "@timestamp", + "user_agent", + "request_id", + "actor", + "action", + "created_at", + "_document_id", + "actor_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "organization_moderators.add_team", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "organization_moderators.add_user", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "organization_moderators.remove_team", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "organization_moderators.remove_user", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type" + ] }, { "action": "organization_projects_change.clear", "description": "An enterprise owner cleared the policy setting for organization-wide project boards in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "actor", + "business_id", + "@timestamp", + "actor_id", + "user", + "user_id", + "action", + "user_agent", + "_document_id", + "created_at", + "operation_type", + "request_id", + "business" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_projects_change.disable", "description": "Organization projects were disabled for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "org_id", + "action", + "user", + "org", + "created_at", + "user_agent", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "actor", + "user_id", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_projects_change.enable", "description": "Organization projects were enabled for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "actor_id", + "org_id", + "created_at", + "user_id", + "org", + "@timestamp", + "_document_id", + "user_agent", + "actor", + "request_id", + "user", + "action", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_role.assign", "description": "An organization role was assigned to a user or team.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "organization_role_id", + "organization_role_name", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.create", "description": "A custom organization role was created in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.destroy", "description": "A custom organization role was deleted in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.revoke", "description": "A user or team was unassigned an organization role.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "organization_role_id", + "organization_role_name", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.update", "description": "A custom organization role was edited in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "old_role_permissions", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "old_base_role" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "packages.package_deleted", "description": "An entire package was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_published", "description": "A package was published or republished to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "ecosystem", + "version_count", + "is_republished", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "packages.package_version_deleted", "description": "A specific package version was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "version", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "ecosystem", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_version_published", "description": "A specific package version was published or republished to a package.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "ecosystem", + "package", + "version", + "actor_id", + "user_agent", + "is_republished", + "actor", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "payment_method.create", "description": "A new payment method was added, such as a new credit card or PayPal account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", + "_document_id", + "action", + "actor", + "actor_id", + "@timestamp", + "created_at", + "request_access_security_header" + ] }, { "action": "payment_method.remove", "description": "A payment method was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", + "operation_type", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "payment_method.update", "description": "An existing payment method was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", + "@timestamp", + "action", + "actor", + "org", + "user_agent", + "_document_id", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "prebuild_configuration.create", "description": "A GitHub Codespaces prebuild configuration for a repository was created.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.destroy", "description": "A GitHub Codespaces prebuild configuration for a repository was deleted.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.run_triggered", "description": "A user initiated a run of a GitHub Codespaces prebuild configuration for a repository branch.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.update", "description": "A GitHub Codespaces prebuild configuration for a repository was edited.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "premium_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_repository_forking.clear", "description": "An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user_id", + "action", + "operation_type", + "@timestamp", + "business_id", + "actor_id", + "user", + "business", + "request_id", + "actor", + "created_at", + "_document_id" + ] }, { "action": "private_repository_forking.disable", "description": "An enterprise owner disabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are never allowed to be forked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "created_at", + "actor_id", + "_document_id", + "actor", + "user", + "repo", + "action", + "user_agent", + "@timestamp", + "org", + "operation_type", + "request_id", + "user_id", + "org_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "private_repository_forking.enable", "description": "An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_id", + "operation_type", + "_document_id", + "action", + "@timestamp", + "repo", + "org", + "business", + "user_agent", + "request_id", + "actor", + "repo_id", + "user", + "org_id", + "created_at", + "business_id" + ] }, { "action": "private_vulnerability_reporting.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { "action": "project.access", "description": "A project board visibility was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "user_agent", + "operation_type", + "user", + "created_at", + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" + ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { "action": "project.create", "description": "A project board was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user", + "_document_id", + "request_id", + "user_id", + "user_agent", + "@timestamp", + "actor_id", + "action", + "created_at", + "actor" + ] }, { "action": "project.delete", "description": "A project board was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "actor_id", + "operation_type", + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" + ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { "action": "project.link", "description": "A repository was linked to a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "action", + "actor_id", + "org_id", + "user_agent", + "request_id", + "actor", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" + ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { "action": "project.rename", "description": "A project board was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", + "@timestamp", + "repo", + "_document_id", + "user_agent", + "org_id", + "business_id", + "actor", + "repo_id", + "org", + "business" + ] }, { "action": "project.unlink", "description": "A repository was unlinked from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "operation_type", + "actor", + "action", + "created_at", + "actor_id", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "org", + "org_id" + ] }, { "action": "project.update_org_permission", "description": "The project's base-level permission for all organization members was changed or removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" + ] }, { "action": "project.update_team_permission", "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org_id", + "operation_type", + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" + ] }, { "action": "project.update_user_permission", "description": "A user was added to or removed from a project board or had their permission level changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "operation_type", + "@timestamp", + "actor_id", + "user", + "user_agent", + "actor", + "created_at", + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" + ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "protected_branch.authorized_users_teams", "description": "The users, teams, or integrations allowed to bypass a branch protection were changed.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "fields": [ + "repo", + "action", + "org_id", + "user_agent", + "name", + "created_at", + "_document_id", + "operation_type", + "actor", + "repo_id", + "org", + "request_id", + "actor_id", + "oauth_application_id", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches" }, { "action": "protected_branch.branch_allowances", "description": "A protected branch allowance was given to a specific user, team or integration.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "name", + "authorized_actors", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "protected_branch.create", "description": "Branch protection was enabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "repo_id", + "user_id", + "@timestamp", + "user_agent", + "repo", + "name", + "org_id", + "user", + "_document_id", + "request_id", + "actor", + "actor_id", + "org", + "action", + "created_at", + "authorized_actor_names", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.destroy", "description": "Branch protection was disabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "repo", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "repo_id", + "org_id", + "operation_type", + "action", + "user_agent", + "created_at", + "_document_id", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.dismiss_stale_reviews", "description": "Enforcement of dismissing stale pull requests was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "dismiss_stale_reviews_on_push", + "org_id", + "action", + "created_at", + "request_id", + "_document_id", + "@timestamp", + "actor_id", + "repo_id", + "operation_type", + "actor", + "repo", + "org", + "name", + "programmatic_access_type" + ] }, { "action": "protected_branch.dismissal_restricted_users_teams", "description": "Enforcement of restricting users and/or teams who can dismiss reviews was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "actor", + "oauth_application_id", + "authorized_actors_only", + "authorized_actors", + "created_at", + "user_agent", + "name", + "_document_id", + "org_id", + "request_id", + "@timestamp", + "actor_id", + "org", + "action", + "operation_type", + "programmatic_access_type" + ] }, { "action": "protected_branch.policy_override", "description": "A branch protection requirement was overridden by a repository administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "created_at", + "actor", + "reasons", + "@timestamp", + "before", + "after", + "actor_id", + "repo", + "operation_type", + "user_agent", + "branch", + "overridden_codes", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "referrer", + "business", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "rule_suite_id" + ] }, { "action": "protected_branch.rejected_ref_update", "description": "A branch update attempt was rejected.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "@timestamp", + "created_at", + "_document_id", + "business", + "org_id", + "operation_type", + "request_id", + "repo_id", + "actor", + "branch", + "before", + "overridden_codes", + "after", + "action", + "reasons", + "actor_id", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "actor_is_bot", + "rule_suite_id" + ] }, { "action": "protected_branch.update_admin_enforced", "description": "Branch protection was enforced for repository administrators.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "admin_enforced", + "operation_type", + "user_agent", + "actor", + "org", + "name", + "repo", + "@timestamp", + "action", + "repo_id", + "org_id", + "_document_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_allow_deletions_enforcement_level", "description": "Branch deletion was enabled or disabled for a protected branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "operation_type", + "request_id", + "repo", + "@timestamp", + "org_id", + "org", + "action", + "allow_deletions_enforcement_level", + "_document_id", + "created_at", + "actor_id", + "user_agent", + "actor", + "repo_id", + "request_access_security_header" + ] }, { "action": "protected_branch.update_allow_force_pushes_enforcement_level", "description": "Force pushes were enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "actor_id", + "name", + "_document_id", + "actor", + "repo", + "operation_type", + "request_id", + "allow_force_pushes_enforcement_level", + "@timestamp", + "org", + "action", + "created_at", + "user_agent", + "repo_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_ignore_approvals_from_contributors", "description": "Ignoring of approvals from contributors to a pull request was enabled or disabled for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "ignore_approvals_from_contributors", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "protected_branch.update_linear_history_requirement_enforcement_level", "description": "Required linear commit history was enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "operation_type", + "actor", + "linear_history_requirement_enforcement_level", + "repo", + "request_id", + "name", + "org_id", + "repo_id", + "org", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_lock_allows_fetch_and_merge", "description": "Fork syncing was enabled or disabled for a read-only branch", "docs_reference_links": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "lock_allows_fetch_and_merge", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_lock_branch_enforcement_level", "description": "The enforcement of a branch lock was updated.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "enforcement_level", + "lock_branch_enforcement_level", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { "action": "protected_branch.update_name", "description": "A branch name pattern was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "old_name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "protected_branch.update_pull_request_reviews_enforcement_level", "description": "Enforcement of required pull request reviews was updated for a branch. Can be 0 (deactivated), 1 (non-admins), or 2 (everyone).", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "org_id", + "_document_id", + "actor_id", + "@timestamp", + "business_id", + "request_id", + "pull_request_reviews_enforcement_level", + "org", + "repo", + "action", + "business", + "user_agent", + "created_at", + "repo_id", + "operation_type", + "actor", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_code_owner_review", "description": "Enforcement of required code owner review was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "created_at", + "require_code_owner_review", + "operation_type", + "name", + "user_agent", + "action", + "@timestamp", + "actor", + "actor_id", + "repo", + "request_id", + "org", + "repo_id", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_last_push_approval", "description": "Someone other than the person who pushed the last code-modifying commit to the branch must approve pull requests for the branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "require_last_push_approval", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging" }, { "action": "protected_branch.update_required_approving_review_count", "description": "Enforcement of the required number of approvals before merging was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "required_approving_review_count", + "repo", + "request_id", + "repo_id", + "created_at", + "actor", + "operation_type", + "user_agent", + "name", + "org_id", + "action", + "actor_id", + "_document_id", + "org", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_required_status_checks_enforcement_level", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "user_agent", + "@timestamp", + "_document_id", + "name", + "repo", + "action", + "business_id", + "repo_id", + "business", + "actor_id", + "operation_type", + "created_at", + "request_id", + "required_status_checks_enforcement_level", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_signature_requirement_enforcement_level", "description": "Enforcement of required commit signing was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "name", + "@timestamp", + "created_at", + "_document_id", + "request_id", + "repo_id", + "org", + "org_id", + "action", + "actor", + "actor_id", + "signature_requirement_enforcement_level", + "repo", + "user_agent", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_strict_required_status_checks_policy", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "_document_id", + "org", + "@timestamp", + "created_at", + "repo_id", + "org_id", + "user_agent", + "name", + "actor", + "repo", + "operation_type", + "action", + "strict_required_status_checks_policy", + "programmatic_access_type" + ] }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verify", "description": "A user account's SSH key or a repository's deploy key was verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "pull_request.close", "description": "A pull request was closed without being merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request" }, { "action": "pull_request.converted_to_draft", "description": "A pull request was converted to a draft.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft" }, { "action": "pull_request.create", "description": "A pull request was created.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request" }, { "action": "pull_request.create_review_request", "description": "A review was requested on a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.in_progress", "description": "A pull request was marked as in progress.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "pull_request.indirect_merge", "description": "A pull request was considered merged because the pull request's commits were merged into the target branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request.merge", "description": "A pull request was merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request" }, { "action": "pull_request.ready_for_review", "description": "A pull request was marked as ready for review.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review" }, { "action": "pull_request.rebase", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "pull_request_url", + "pull_request_title", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request.remove_review_request", "description": "A review request was removed from a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.reopen", "description": "A pull request was reopened after previously being closed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.create", "description": "A review comment was added to a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "comment_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request_review_comment.delete", "description": "A review comment on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "actor", + "@timestamp", + "_document_id", + "repo", + "created_at", + "request_id", + "comment_id", + "actor_id", + "repo_id", + "action", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.update", "description": "A review comment on a pull request was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "request_id", + "actor_id", + "action", + "created_at", + "actor", + "_document_id", + "@timestamp", + "comment_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review.delete", "description": "A review on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request_review.dismiss", "description": "A review on a pull request was dismissed.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review" }, { "action": "pull_request_review.submit", "description": "A review on a pull request was submitted.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.change_merge_setting", "description": "Pull request merge options were changed for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", + "@timestamp", + "_document_id", + "actor_id", + "operation_type", + "action", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { "action": "repo.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { "action": "repo.codeql_disabled", "description": "Code scanning using the default setup was disabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_enabled", "description": "Code scanning using the default setup was enabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "query_suite", + "threat_model", + "languages", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_updated", "description": "Code scanning using the default setup was updated for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "query_suite", + "threat_model", + "languages", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codespaces_trusted_repo_access_granted", "description": "GitHub Codespaces was granted trusted repository access to this repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "repo.codespaces_trusted_repo_access_revoked", "description": "GitHub Codespaces trusted repository access to this repository was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" }, { "action": "repo.create_actions_secret", "description": "A GitHub Actions secret was created for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { "action": "repo.download_zip", "description": "A source code archive of a repository was downloaded as a ZIP file.", "docs_reference_links": "/repositories/working-with-files/using-files/downloading-source-code-archives", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/working-with-files/using-files/downloading-source-code-archives" }, { "action": "repo.pages_cname", "description": "A GitHub Pages custom domain was modified in a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "@timestamp", + "visibility", + "repo", + "repo_id", + "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", + "created_at", + "_document_id", + "action", + "operation_type", + "old_cname", + "programmatic_access_type" + ] }, { "action": "repo.pages_create", "description": "A GitHub Pages site was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "_document_id", + "user_id", + "visibility", + "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", + "actor", + "repo", + "programmatic_access_type" + ] }, { "action": "repo.pages_destroy", "description": "A GitHub Pages site was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "user_id", + "action", + "request_id", + "user", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", + "visibility", + "operation_type", + "repo_id", + "programmatic_access_type" + ] }, { "action": "repo.pages_https_redirect_disabled", "description": "HTTPS redirects were disabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "actor_id", + "repo_id", + "_document_id", + "user_agent", + "actor", + "visibility", + "user_id", + "request_id", + "repo", + "@timestamp", + "operation_type", + "action", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_https_redirect_enabled", "description": "HTTPS redirects were enabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "user_id", + "created_at", + "visibility", + "actor", + "actor_id", + "user", + "operation_type", + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" + ] }, { "action": "repo.pages_private", "description": "A GitHub Pages site visibility was changed to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_public", "description": "A GitHub Pages site visibility was changed to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete", "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete_restore", "description": "A GitHub Pages site that was previously soft-deleted was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_source", "description": "A GitHub Pages source was modified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "repo_id", + "user", + "_document_id", + "request_id", + "visibility", + "repo", + "created_at", + "action", + "programmatic_access_type" + ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.remove_integration_secret", "description": "A Codespaces or Dependabot secret was deleted for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "repo.remove_topic", "description": "A topic was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", + "actor", + "business", + "request_id", + "repo", + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" + ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { "action": "repo.rename_branch", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "old_branch", + "new_branch", + "default_branch", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.restore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "action", + "_document_id", + "actor_id", + "user", + "operation_type", + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" + ] }, { "action": "repo.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "repo_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "repo.staff_unlock", "description": "An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "created_at", + "actor", + "repo_id", + "action", + "org", + "org_id", + "request_id", + "repo", + "operation_type" + ] }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { "action": "repo.transfer_outgoing", "description": "A repository was transferred to another repository network.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.transfer_start", "description": "A user sent a request to transfer a repository to another user or organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "operation_type", + "user_id", + "request_id", + "user", + "action", + "user_agent", + "created_at", + "actor", + "visibility", + "repo_id", + "actor_id", + "repo", + "request_access_security_header" + ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.update_actions_access_settings", "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "old_policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.update_actions_settings", "description": "A repository administrator changed GitHub Actions policy settings for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.update_default_branch", "description": "The default branch for a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.update_member", "description": "A user's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "_document_id", + "actor", + "repo_id", + "created_at", + "oauth_application_id", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", + "visibility", + "old_permission", + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_advisory.close", "description": "Someone closed a security advisory.", "docs_reference_links": "/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories", + "fields": [ + "actor", + "repo", + "@timestamp", + "business", + "business_id", + "user_agent", + "actor_id", + "request_id", + "action", + "operation_type", + "created_at", + "repo_id", + "_document_id", + "org", + "org_id", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories" }, { "action": "repository_advisory.cve_request", "description": "Someone requested a CVE (Common Vulnerabilities and Exposures) number from GitHub for a draft security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "repo", + "org_id", + "actor", + "action", + "request_id", + "org", + "operation_type", + "@timestamp", + "user_agent", + "actor_id", + "_document_id", + "created_at" + ] }, { "action": "repository_advisory.github_broadcast", "description": "GitHub made a security advisory public in the GitHub Advisory Database.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "repository_advisory.github_withdraw", "description": "GitHub withdrew a security advisory that was published in error.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repository_advisory.open", "description": "Someone opened a draft security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "actor_id", + "actor", + "repo", + "created_at", + "_document_id", + "repo_id", + "action", + "@timestamp", + "request_id", + "request_access_security_header" + ] }, { "action": "repository_advisory.publish", "description": "Someone published a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "actor_id", + "@timestamp", + "actor", + "repo_id", + "_document_id", + "repo", + "business_id", + "business", + "request_id", + "action", + "created_at", + "org_id", + "org" + ] }, { "action": "repository_advisory.reopen", "description": "Someone reopened as draft security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "repo", + "action", + "created_at", + "@timestamp", + "request_id", + "actor_id", + "_document_id", + "actor", + "repo_id", + "public_repo" + ] }, { "action": "repository_advisory.update", "description": "Someone edited a draft or published security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "repo_id", + "org_id", + "business", + "actor", + "user_agent", + "created_at", + "_document_id", + "business_id", + "repo", + "action", + "operation_type", + "org", + "@timestamp", + "request_id" + ] }, { "action": "repository_branch_protection_evaluation.disable", "description": "Branch protections were disabled for the repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_branch_protection_evaluation.enable", "description": "Branch protections were enabled for this repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_content_analysis.disable", "description": "Data use settings were disabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "user", + "repo_id", + "request_id", + "actor_id", + "created_at", + "user_agent", + "action", + "operation_type", + "actor", + "repo", + "user_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_content_analysis.enable", "description": "Data use settings were enabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "user", + "org", + "user_id", + "repo_id", + "@timestamp", + "request_id", + "actor", + "action", + "operation_type", + "created_at", + "actor_id", + "repo", + "user_agent", + "org_id", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_dependency_graph.disable", "description": "The dependency graph was disabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-fea tures-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "repo_id", + "operation_type", + "user_id", + "repo", + "_document_id", + "actor", + "user", + "action", + "@timestamp", + "org_id", + "actor_id", + "org", + "created_at", + "user_agent", + "request_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-fea, tures-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_dependency_graph.enable", "description": "The dependency graph was enabled for a private repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user", + "org", + "org_id", + "action", + "repo", + "user_id", + "created_at", + "user_agent", + "actor_id", + "repo_id", + "operation_type", + "actor", + "@timestamp", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_image.create", "description": "An image to represent a repository was uploaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", + "action", + "request_id", + "actor", + "content_type", + "repo", + "@timestamp", + "_document_id", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "repository_image.destroy", "description": "An image to represent a repository was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", + "_document_id", + "actor", + "repo_id", + "user_agent", + "repo", + "user", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "repository_invitation.accept", "description": "An invitation to join a repository was accepted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "created_at", + "request_id", + "repo", + "invitee", + "operation_type", + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.cancel", "description": "An invitation to join a repository was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "inviter", + "action", + "operation_type", + "_document_id", + "repo_id", + "repo", + "@timestamp", + "user_agent", + "invitee", + "created_at", + "request_id", + "actor", + "actor_id", + "request_access_security_header" + ] }, { "action": "repository_invitation.create", "description": "An invitation to join a repository was sent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", + "repo", + "created_at", + "user_agent", + "repo_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.reject", "description": "An invitation to join a repository was declined.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "_document_id", + "actor", + "invitee", + "action", + "@timestamp", + "request_id", + "actor_id", + "operation_type", + "created_at", + "inviter", + "user_agent", + "repo_id" + ] }, { "action": "repository_projects_change.clear", "description": "The repository projects policy was removed for an organization, or all organizations in the enterprise Organization owners can now control their repository projects settings.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise", + "fields": [ + "request_id", + "created_at", + "_document_id", + "action", + "user_agent", + "user", + "business_id", + "business", + "operation_type", + "actor", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "repository_projects_change.disable", "description": "Repository projects were disabled for a repository, all repositories in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "@timestamp", + "repo", + "action", + "operation_type", + "_document_id", + "actor_id", + "user", + "user_id", + "user_agent", + "repo_id", + "actor", + "request_id", + "programmatic_access_type" + ] }, { "action": "repository_projects_change.enable", "description": "Repository projects were enabled for a repository, all repositories in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "repo_id", + "org", + "request_id", + "user", + "user_agent", + "created_at", + "org_id", + "action", + "user_id", + "operation_type", + "_document_id", + "actor_id", + "repo" + ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { "action": "repository_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning.disable", "description": "Secret scanning was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "public_repo", + "programmatic_access_type" + ], "docs_reference_titles": "About secret scanning" }, { "action": "repository_secret_scanning.enable", "description": "Secret scanning was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "repository_secret_scanning_generic_secrets.disabled", "description": "Generic secrets have been disabled at the repository level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_secret_scanning_generic_secrets.enabled", "description": "Generic secrets have been enabled at the repository level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "repository_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.disable", "description": "Secret scanning push protection was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.enable", "description": "Secret scanning push protection was enabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_visibility_change.clear", "description": "The repository visibility change setting was cleared for an organization or enterprise.", "docs_reference_links": "/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-changes-to-repository-visibility", + "fields": [ + "created_at", + "_document_id", + "request_id", + "actor_id", + "business", + "action", + "operation_type", + "user", + "user_id", + "business_id", + "@timestamp", + "user_agent", + "actor", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization, Enforcing repository management policies in your enterprise" }, { "action": "repository_visibility_change.disable", "description": "The ability for enterprise members to update a repository's visibility was disabled. Members are unable to change repository visibilities in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "org_id", + "created_at", + "user_agent", + "actor", + "actor_id", + "org", + "operation_type", + "_document_id", + "@timestamp", + "user_id", + "action", + "request_id", + "request_access_security_header" + ] }, { "action": "repository_visibility_change.enable", "description": "The ability for enterprise members to update a repository's visibility was enabled. Members are able to change repository visibilities in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "operation_type", + "_document_id", + "@timestamp", + "user_agent", + "user", + "created_at", + "org", + "org_id", + "action", + "actor_id", + "user_id", + "request_id" + ] }, { "action": "repository_vulnerability_alert.auto_dismiss", "description": "A Dependabot alert was automatically dismissed because its metadata matches an enabled Dependabot rule.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "alert_id", + "alert_number", + "ghsa_id", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "request_access_security_header" + ], "docs_reference_titles": "About Dependabot auto-triage rules" }, { "action": "repository_vulnerability_alert.auto_reopen", "description": "A previously auto-dismissed Dependabot alert was automatically reopened because its metadata no longer matches an enabled Dependabot rule.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "alert_id", + "alert_number", + "ghsa_id", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "request_access_security_header" + ], "docs_reference_titles": "About Dependabot auto-triage rules" }, { "action": "repository_vulnerability_alert.create", "description": "GitHub created a Dependabot alert because the repository uses a vulnerable dependency.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", + "fields": [ + "operation_type", + "request_id", + "repo_id", + "@timestamp", + "user_agent", + "alert_id", + "action", + "repo", + "created_at", + "_document_id", + "token_scopes", + "alert_number", + "programmatic_access_type" + ], "docs_reference_titles": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts" }, { "action": "repository_vulnerability_alert.dismiss", "description": "A Dependabot alert was manually dismissed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "org_id", + "user_id", + "request_id", + "@timestamp", + "operation_type", + "user_agent", + "alert_id", + "actor", + "repo", + "created_at", + "org", + "_document_id", + "action", + "actor_id", + "dismiss_reason", + "user", + "dismiss_comment", + "alert_number", + "actor_is_bot" + ] }, { "action": "repository_vulnerability_alert.reintroduce", "description": "A Dependabot alert was automatically reopened because the repository resumed use of a vulnerable dependency.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "alert_id", + "created_at", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "_document_id", + "@timestamp", + "operation_type", + "token_scopes", + "alert_number" + ] }, { "action": "repository_vulnerability_alert.reopen", "description": "A Dependabot alert was manually reopened.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "alert_id", + "created_at", + "action", + "repo", + "repo_id", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "operation_type", + "business", + "business_id", + "public_repo", + "alert_number", + "request_access_security_header" + ] }, { "action": "repository_vulnerability_alert.resolve", "description": "Changes were pushed to update and resolve a Dependabot alert in a project dependency.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "alert_id", + "repo", + "operation_type", + "action", + "repo_id", + "_document_id", + "user_agent", + "request_id", + "@timestamp", + "created_at", + "actor", + "actor_id", + "token_scopes", + "alert_number", + "programmatic_access_type" + ] }, { "action": "repository_vulnerability_alerts.authorized_users_teams", "description": "The list of people or teams authorized to receive Dependabot alerts for the repository was updated.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts", + "fields": [ + "org", + "_document_id", + "repo", + "org_id", + "operation_type", + "created_at", + "actor", + "action", + "@timestamp", + "user_agent", + "repo_id", + "request_id", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts" }, { "action": "repository_vulnerability_alerts_auto_dismissal.disable", "description": "Automatic dismissal of low-impact Dependabot alerts was disabled for the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repository_vulnerability_alerts_auto_dismissal.enable", "description": "Automatic dismissal of low-impact Dependabot alerts was enabled for the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_vulnerability_alerts.disable", "description": "Dependabot alerts was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "request_id", + "repo_id", + "action", + "actor_id", + "@timestamp", + "created_at", + "actor", + "user_agent", + "org_id", + "user", + "org", + "_document_id", + "user_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_vulnerability_alerts.enable", "description": "Dependabot alerts was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_agent", + "created_at", + "@timestamp", + "repo_id", + "action", + "user", + "repo", + "org", + "org_id", + "actor_id", + "_document_id", + "user_id", + "operation_type", + "request_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "required_status_check.create", "description": "A status check was marked as required for a protected branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "fields": [ + "org", + "actor_id", + "@timestamp", + "business", + "request_id", + "context", + "repo_id", + "action", + "repo", + "_document_id", + "operation_type", + "business_id", + "org_id", + "actor", + "created_at", + "user_agent", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging" }, { "action": "required_status_check.destroy", "description": "A status check was no longer marked as required for a protected branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "fields": [ + "actor_id", + "actor", + "created_at", + "context", + "operation_type", + "@timestamp", + "request_id", + "org", + "user_agent", + "repo_id", + "org_id", + "action", + "_document_id", + "repo", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging" }, { "action": "restrict_notification_delivery.disable", "description": "Email notification restrictions for an organization or enterprise were disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "restrict_notification_delivery.enable", "description": "Email notification restrictions for an organization or enterprise were enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "role.create", "description": "A new custom repository role was created.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "owner", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "role_permissions", + "old_role_permissions" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "role.destroy", "description": "A custom repository role was deleted.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "role.update", "description": "A custom repository role was edited.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "old_role_permissions", + "old_base_role" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "secret_scanning_alert.create", "description": "GitHub detected a secret and created a secret scanning alert.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning_alert.reopen", "description": "A secret scanning alert was reopened.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type_display_name" + ] }, { "action": "secret_scanning_alert.resolve", "description": "A secret scanning alert was resolved.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "resolution", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_access_security_header" + ] }, { "action": "secret_scanning_alert.revoke", "description": "A secret scanning alert was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "secret_scanning_alert.validate", "description": "A secret scanning alert was validated.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "previous_validity", + "current_validity", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning.disable", "description": "Secret scanning was disabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning.enable", "description": "Secret scanning was enabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.disable", "description": "Secret scanning was disabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.enable", "description": "Secret scanning was enabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_push_protection.bypass", "description": "Triggered when a user bypasses the push protection on a secret detected by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#bypassing-push-protection-for-a-secret", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "push_protection_bypass_reason", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_reviewer", + "request_reviewer_id" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.approve", "description": "A request to bypass secret scanning push protection was approved by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.deny", "description": "A request to bypass secret scanning push protection was denied by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header", + "request_reviewer_comment" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.request", "description": "A user requested to bypass secret scanning push protection.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "sponsors.agreement_sign", "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.fiscal_host_change", "description": "The fiscal host for a GitHub Sponsors listing was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.invoiced_agreement_sign", "description": "An agreement for invoiced billing for GitHub Sponsors was signed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/paying-for-github-sponsors-by-invoice", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/paying-for-github-sponsors-by-invoice" }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_disable", "description": "A GitHub Sponsors account was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { "action": "sponsors.sponsored_developer_redraft", "description": "A GitHub Sponsors account was returned to draft state from approved state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id", + "actor", + "actor_id", + "user_id" + ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { "action": "sponsors.update_tier_repository", "description": "A GitHub Sponsors tier changed access for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.update_tier_welcome_message", "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.withdraw_agreement_signature", "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ssh_certificate_authority.create", "description": "An SSH certificate authority for an organization or enterprise was created.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "@timestamp", + "_document_id", + "fingerprint", + "operation_type", + "openssh_public_key", + "org_id", + "actor", + "created_at", + "org", + "action", + "user_agent", + "actor_id", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_authority.destroy", "description": "An SSH certificate authority for an organization or enterprise was deleted.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "created_at", + "_document_id", + "fingerprint", + "operation_type", + "actor", + "org_id", + "openssh_public_key", + "org", + "action", + "user_agent", + "actor_id", + "@timestamp", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.disable", "description": "The requirement for members to use SSH certificates to access an organization resources was disabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "user", + "user_agent", + "operation_type", + "_document_id", + "request_id", + "org", + "org_id", + "created_at", + "actor", + "action", + "user_id", + "business", + "business_id", + "@timestamp", + "actor_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.enable", "description": "The requirement for members to use SSH certificates to access an organization resources was enabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "actor_id", + "user_id", + "org", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user", + "action", + "org_id", + "created_at", + "user_agent" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "staff.dependabot_debug_credentials_generated", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "staff.set_domain_token_expiration", "description": "The verification code expiry time for an organization or enterprise domain was set.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "business_id", + "token_expires_at", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "staff.unverify_domain", "description": "An organization or enterprise domain was unverified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "staff.verify_domain", "description": "An organization or enterprise domain was verified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "domain_name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "team.add_member", "description": "A member of an organization was added to a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team", + "fields": [ + "user_agent", + "request_id", + "org_id", + "user_id", + "team", + "user", + "@timestamp", + "actor_id", + "created_at", + "operation_type", + "_document_id", + "org", + "action", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team" }, { "action": "team.add_repository", "description": "A team was given access and permissions to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "team", + "action", + "operation_type", + "request_id", + "created_at", + "@timestamp", + "org", + "repo", + "actor_id", + "_document_id", + "repo_id", + "user_agent", + "org_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "team.change_parent_team", "description": "A child team was created or a child team's parent was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy", + "fields": [ + "org", + "@timestamp", + "created_at", + "_document_id", + "team", + "action", + "operation_type", + "actor", + "request_id", + "actor_id", + "user_agent", + "org_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy" }, { "action": "team.change_privacy", "description": "A team's privacy level was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/changing-team-visibility", + "fields": [ + "user_agent", + "request_id", + "org", + "action", + "team", + "created_at", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "actor", + "_document_id" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility" }, { "action": "team.create", "description": "A new team is created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "org_id", + "user_agent", + "team", + "org", + "actor", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "team.demote_maintainer", "description": "A user was demoted from a team maintainer to a team member.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member" }, { "action": "team.destroy", "description": "A team was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "team", + "org_id", + "actor_id", + "actor", + "action", + "@timestamp", + "user_agent", + "request_id", + "operation_type", + "_document_id", + "programmatic_access_type" + ] }, { "action": "team_discussions.clear", "description": "An organization owner cleared the setting to allow team discussions for an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "business_id", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "actor_id", + "user", + "business", + "action", + "request_id", + "created_at", + "user_id", + "_document_id" + ] }, { "action": "team_discussions.disable", "description": "Team discussions were disabled for an organization.", "docs_reference_links": "/organizations/organizing-members-into-teams/disabling-team-discussions-for-your-organization", + "fields": [ + "org_id", + "action", + "operation_type", + "request_id", + "actor", + "org", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "_document_id" + ], "docs_reference_titles": "Organizations and teams documentation" }, { "action": "team_discussions.enable", "description": "Team discussions were enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "@timestamp", + "action", + "_document_id", + "user_agent", + "user_id", + "business_id", + "request_id", + "user", + "business", + "operation_type", + "actor", + "created_at" + ] }, { "action": "team_group_mapping.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "actor", + "action", + "operation_type", + "team", + "@timestamp", + "actor_id", + "org", + "_document_id", + "org_id", + "user_agent", + "request_id", + "request_access_security_header" + ] }, { "action": "team_group_mapping.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "@timestamp", + "actor_id", + "_document_id", + "team", + "created_at", + "org_id", + "action", + "request_id", + "user_agent", + "actor", + "org", + "request_access_security_header" + ] }, { "action": "team_group_mapping.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "team.promote_maintainer", "description": "A user was promoted from a team member to a team maintainer.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer" }, { "action": "team.remove_member", "description": "An organization member was removed from a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team", + "fields": [ + "request_id", + "operation_type", + "created_at", + "actor_id", + "org", + "org_id", + "team", + "user_id", + "actor", + "user", + "action", + "@timestamp", + "user_agent", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team" }, { "action": "team.remove_repository", "description": "A repository was removed from a team's control.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "org_id", + "repo", + "repo_id", + "action", + "_document_id", + "actor", + "@timestamp", + "actor_id", + "user_agent", + "created_at", + "team", + "org", + "operation_type", + "programmatic_access_type" + ] }, { "action": "team.rename", "description": "A team's name was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "user_agent", + "created_at", + "team", + "operation_type", + "actor_id", + "org", + "action", + "request_id", + "actor", + "org_id", + "@timestamp", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "team_sync_tenant.disabled", "description": "Team synchronization with a tenant was disabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "action", + "created_at", + "actor", + "request_id", + "org_id", + "actor_id", + "operation_type", + "_document_id", + "@timestamp", + "org", + "user_agent" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team_sync_tenant.enabled", "description": "Team synchronization with a tenant was enabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "org_id", + "business_id", + "actor", + "created_at", + "user_agent", + "@timestamp", + "operation_type", + "business", + "actor_id", + "org", + "request_id", + "action", + "_document_id" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team_sync_tenant.update_okta_credentials", "description": "The Okta credentials for team synchronization with a tenant were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "team.update_repository_permission", "description": "A team's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "team", + "org_id", + "@timestamp", + "org", + "_document_id", + "old_permission", + "request_id", + "repo", + "action", + "repo_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "permission", + "new_repo_permission", + "new_repo_base_role", + "old_repo_permission", + "old_repo_base_role", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "vulnerability_alert_rule.create", "description": "A Dependabot rule was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "vulnerability_alert_rule.delete", "description": "A Dependabot rule was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "vulnerability_alert_rule.disable", "description": "A Dependabot rule was disabled for a single repository or disabled by default for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "vulnerability_alert_rule.enable", "description": "A Dependabot rule was enabled for a single repository or enabled by default for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "vulnerability_alert_rule.force_disable", "description": "A Dependabot rule was enabled for an organization and cannot be disabled for its repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "vulnerability_alert_rule.force_enable", "description": "A Dependabot rule was disabled for an organization and cannot be enabled for its repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "vulnerability_alert_rule.update", "description": "A Dependabot rule's conditions, actions, or metadata changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.bypass_protection_rules", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "workflows.cancel_workflow_run", "description": "A workflow run was cancelled.", "docs_reference_links": "/actions/managing-workflow-runs/canceling-a-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "cancelled_at", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Canceling a workflow" }, { "action": "workflows.comment_workflow_job", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.completed_workflow_run", "description": "A workflow status changed to completed. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "completed_at", + "conclusion", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Viewing workflow run history" }, { "action": "workflows.created_workflow_run", "description": "A workflow run was create. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/learn-github-actions/understanding-github-actions#create-an-example-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Understanding GitHub Actions" }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { "action": "workflows.disable_workflow", "description": "A workflow was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.enable_workflow", "description": "A workflow was enabled, after previously being disabled by disable_workflow.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "workflows.pin_workflow", "description": "A workflow was pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.prepared_workflow_job", "description": "A workflow job was started. Includes the list of secrets that were provided to the job. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/using-workflows/events-that-trigger-workflows", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "business_id", + "business", + "workflow_run_id", + "job_name", + "runner_labels", + "is_hosted_runner", + "environment_name", + "secrets_passed", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp", + "runner_owner_type", + "job_workflow_ref", + "calling_workflow_refs", + "calling_workflow_shas", + "imposer_repo" + ], "docs_reference_titles": "Events that trigger workflows" }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.rerun_workflow_run", "description": "A workflow run was re-run.", "docs_reference_links": "/actions/managing-workflow-runs/re-running-workflows-and-jobs", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "rerun_type", + "check_run_id", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Re-running workflows and jobs" }, { "action": "workflows.unpin_workflow", "description": "A workflow was unpinned after previously being pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/ghes-3.14/user.json b/src/audit-logs/data/ghes-3.14/user.json index bee8ed3b7f65..6470dec6ee5f 100644 --- a/src/audit-logs/data/ghes-3.14/user.json +++ b/src/audit-logs/data/ghes-3.14/user.json @@ -2,2053 +2,8131 @@ { "action": "account.billing_date_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "operation_type", + "user_agent", + "_document_id", + "created_at", + "action", + "request_id", + "actor", + "actor_id", + "org_id" + ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { "action": "account_recovery_token.confirm", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "token_id", + "user_id", + "user", + "actor", + "operation_type" + ] }, { "action": "account_recovery_token.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "token_id", + "user", + "request_id", + "_document_id", + "user_agent", + "actor", + "user_id", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "account_recovery_token.recover", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "actor", + "user_agent", + "request_id", + "action", + "_document_id", + "user_id", + "token_id" + ] }, { "action": "actions_cache.delete", "description": "A GitHub Actions cache was deleted using the REST API.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "user_id", + "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "artifact.destroy", "description": "A workflow run artifact was manually deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_agent", + "actor_id", + "repo", + "repo_id", + "request_id", + "@timestamp", + "created_at", + "_document_id", + "operation_type", + "programmatic_access_type" + ] }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.lock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "@timestamp", + "actor_id", + "operation_type", + "_document_id", + "request_id", + "actor", + "user", + "user_id", + "user_agent", + "created_at", + "action" + ] }, { "action": "billing.unlock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "operation_type", + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "billing.update_bill_cycle_day", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.set_actions_fork_pr_approvals_policy", "description": "The policy for requiring approvals for workflows from public forks was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "limit", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_fork_pr_workflows_policy", "description": "The policy for fork pull request workflows was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.delete_logs", "description": "Logs in a check suite were deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "actor_id", + "operation_type", + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" + ] }, { "action": "codespaces.allow_permissions", "description": "A codespace using custom permissions from its devcontainer.json file was launched.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "origin_repository", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.connect", "description": "Credentials for a codespace were refreshed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { "action": "codespaces.export_environment", "description": "A codespace was exported to a branch on GitHub.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "codespaces.restore", "description": "A codespace was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.start_environment", "description": "A codespace was started.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "org", + "owner", + "pull_request_id", + "machine_type", + "user_id", + "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "codespaces.suspend_environment", "description": "A codespace was stopped.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "copilot.cfb_seat_added", "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { "action": "copilot.cfb_seat_assignment_refreshed", "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_reused", "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_assignment_unassigned", "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "seat_assignment", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled_by_staff", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "custom_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_repository_access.repositories_updated", "description": "The repositories that Dependabot can access were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates.enable", "description": "Dependabot security updates were enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates_new_repos.enable", "description": "Dependabot security updates were enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph.enable", "description": "The dependency graph was enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph_new_repos.enable", "description": "The dependency graph was enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.delete", "description": "An environment was deleted.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_secret", "description": "A secret was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "gist.create", "description": "A gist was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "user", + "gist_id", + "@timestamp", + "created_at", + "operation_type", + "user_agent", + "actor", + "actor_id", + "visibility", + "action", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "gist.destroy", "description": "A gist was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "gist_id", + "visibility", + "created_at", + "_document_id", + "user", + "request_id", + "operation_type", + "actor", + "actor_id", + "action", + "user_agent", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "gist.visibility_change", "description": "The visibility of a gist was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "user", + "gist_id", + "actor_id", + "request_id", + "visibility", + "user_id", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "git_signing_ssh_public_key.create", "description": "An SSH key was added to a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "git_signing_ssh_public_key.delete", "description": "An SSH key was removed from a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "explanation", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "github_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "github_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "github_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "gpg_key.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "created_at", + "user_id", + "@timestamp", + "user", + "operation_type", + "_document_id", + "actor", + "action", + "user_agent", + "request_access_security_header" + ] }, { "action": "gpg_key.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor", + "actor_id", + "user", + "action", + "created_at", + "_document_id", + "user_agent", + "@timestamp", + "request_access_security_header" + ] }, { "action": "hook.active_changed", "description": "A hook's active status was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "hook.config_changed", "description": "A hook's configuration was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "name", + "org", + "user_agent", + "request_id", + "hook_id", + "repo", + "repo_id", + "created_at", + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { "action": "hook.destroy", "description": "A hook was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", + "operation_type", + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.events_changed", "description": "A hook's configured events were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "operation_type", + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "integration.create", "description": "A GitHub App was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "@timestamp", + "actor", + "user_agent", + "actor_id", + "request_id", + "name", + "user_id", + "_document_id", + "integration", + "created_at", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration.destroy", "description": "A GitHub App was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "actor_id", + "request_id", + "@timestamp", + "name", + "integration", + "user", + "_document_id", + "action", + "operation_type", + "created_at", + "user_agent" + ] }, { "action": "integration.generate_client_secret", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { "action": "integration.remove_client_secret", "description": "A client secret for a GitHub App was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "integration.revoke_all_tokens", "description": "All user tokens for a GitHub App were requested to be revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.revoke_tokens", "description": "Token(s) for a GitHub App were revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" }, { "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "marketplace_agreement_signature.create", "description": "The GitHub Marketplace Developer Agreement was signed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "actor_id", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "created_at", + "action", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "marketplace_listing.approve", "description": "A listing was approved for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "secondary_category", + "actor", + "primary_category", + "user", + "@timestamp", + "_document_id", + "user_id", + "user_agent", + "operation_type", + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" + ] }, { "action": "marketplace_listing.change_category", "description": "A category for a listing for an app in GitHub Marketplace was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", + "@timestamp", + "integration", + "org_id", + "action", + "org", + "secondary_category", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ] }, { "action": "marketplace_listing.create", "description": "A listing for an app in GitHub Marketplace was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", + "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", + "actor", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "marketplace_listing.delist", "description": "A listing was removed from GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "created_at", + "secondary_category", + "operation_type", + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" + ] }, { "action": "marketplace_listing_plan.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "actor", + "action", + "operation_type", + "marketplace_listing", + "has_free_trial", + "user_agent", + "request_id", + "actor_id", + "yearly_price_in_cents", + "description", + "bullets", + "monthly_price_in_cents", + "marketplace_listing_plan", + "_document_id" + ] }, { "action": "marketplace_listing_plan.publish", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "marketplace_listing_plan", + "marketplace_listing", + "description", + "bullets", + "has_free_trial", + "created_at", + "actor_id", + "operation_type", + "_document_id", + "action", + "user_agent", + "request_id", + "actor", + "monthly_price_in_cents", + "yearly_price_in_cents", + "@timestamp" + ] }, { "action": "marketplace_listing_plan.retire", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "marketplace_listing_plan", + "_document_id", + "request_id", + "description", + "yearly_price_in_cents", + "@timestamp", + "created_at", + "actor_id", + "bullets", + "has_free_trial", + "marketplace_listing", + "user_agent", + "monthly_price_in_cents", + "action", + "operation_type" + ] }, { "action": "marketplace_listing_plan.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "monthly_price_in_cents", + "marketplace_listing", + "_document_id", + "action", + "description", + "bullets", + "yearly_price_in_cents", + "request_id", + "actor_id", + "has_free_trial", + "marketplace_listing_plan", + "user_agent", + "@timestamp", + "operation_type", + "actor", + "created_at" + ] }, { "action": "marketplace_listing.redraft", "description": "A listing was sent back to draft state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", + "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", + "actor", + "created_at", + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" + ] }, { "action": "marketplace_listing.reject", "description": "A listing was not accepted for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "merge_queue.pull_request_dequeued", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "merge_queue.pull_request_queue_jump", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.queue_cleared", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.update_settings", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "metered_billing_configuration.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "_document_id", + "user_id", + "action", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "metered_billing_configuration.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "metered_billing_configuration.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "org", + "created_at", + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" + ] }, { "action": "migration.create", "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org_id", + "_document_id", + "org", + "repo_id", + "action", + "actor", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "oauth_access.create", "description": "An OAuth access token was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, /authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token", + "fields": [ + "_document_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "user", + "user_id", + "created_at", + "action", + "actor_id", + "request_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, Managing your personal access tokens" }, { "action": "oauth_access.destroy", "description": "An OAuth access token was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps", + "fields": [ + "@timestamp", + "user_agent", + "action", + "operation_type", + "_document_id", + "actor", + "created_at", + "user", + "user_id", + "request_id", + "explanation", + "hashed_token", + "actor_id", + "token_scopes", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_access.regenerate", "description": "An OAuth access token was regenerated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "_document_id", + "created_at", + "@timestamp", + "operation_type", + "action", + "user_agent", + "request_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "oauth_application_name" + ] }, { "action": "oauth_access.update", "description": "An OAuth access token was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "action", + "@timestamp", + "user", + "user_agent", + "request_access_security_header" + ] }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.generate_client_secret", "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_authorization.create", "description": "An authorization for an OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "operation_type", + "user_agent", + "user_id", + "actor", + "org_id", + "_document_id", + "request_id", + "action", + "@timestamp", + "created_at", + "actor_id", + "user", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_authorization.destroy", "description": "An authorization for an OAuth application was deleted.", "docs_reference_links": "/apps/using-github-apps/reviewing-your-authorized-integrations", + "fields": [ + "user_agent", + "_document_id", + "request_id", + "operation_type", + "@timestamp", + "actor", + "created_at", + "explanation", + "user", + "user_id", + "org_id", + "action", + "actor_id", + "token_scopes", + "actor_is_bot", + "oauth_application_name" + ], "docs_reference_titles": "Reviewing and revoking authorization of GitHub Apps" }, { "action": "org.add_member", "description": "A user joined an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "permission", + "_document_id", + "org", + "operation_type", + "request_id", + "actor", + "user", + "@timestamp", + "created_at", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "org.add_outside_collaborator", "description": "An outside collaborator was added to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "inviter", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.advanced_security_disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_disabled_on_all_repos", "description": "GitHub Advanced Security was disabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_on_all_repos", "description": "GitHub Advanced Security was enabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.remove_member", "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "actor_id", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", + "created_at", + "user", + "operation_type", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "org.update_member", "description": "A person's role was changed from owner to member or member to owner.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "org_id", + "created_at", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "actor_id", + "old_permission", + "permission", + "actor", + "user_agent", + "operation_type", + "org" + ] }, { "action": "org.update_member_repository_creation_permission", "description": "The create repository permission for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "@timestamp", + "request_id", + "actor_id", + "permission", + "created_at", + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" + ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "passkey.register", "description": "A new passkey was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "passkey.remove", "description": "A new passkey was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "payment_method.create", "description": "A new payment method was added, such as a new credit card or PayPal account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", + "_document_id", + "action", + "actor", + "actor_id", + "@timestamp", + "created_at", + "request_access_security_header" + ] }, { "action": "payment_method.remove", "description": "A payment method was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", + "operation_type", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "payment_method.update", "description": "An existing payment method was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", + "@timestamp", + "action", + "actor", + "org", + "user_agent", + "_document_id", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.create", "description": "Triggered when you create a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "personal_access_token.credential_regenerated", "description": "Triggered when you regenerate a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.credential_revoked", "description": "A fine-grained personal access token was revoked by GitHub Advanced Security.", "docs_reference_links": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users", + "fields": [ + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users" }, { "action": "personal_access_token.destroy", "description": "Triggered when you delete a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "explanation", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.update", "description": "A fine-grained personal access token was updated.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens" }, { "action": "premium_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { "action": "project.access", "description": "A project board visibility was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "user_agent", + "operation_type", + "user", + "created_at", + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" + ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { "action": "project.create", "description": "A project board was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user", + "_document_id", + "request_id", + "user_id", + "user_agent", + "@timestamp", + "actor_id", + "action", + "created_at", + "actor" + ] }, { "action": "project.delete", "description": "A project board was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "actor_id", + "operation_type", + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" + ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { "action": "project.link", "description": "A repository was linked to a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "action", + "actor_id", + "org_id", + "user_agent", + "request_id", + "actor", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" + ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { "action": "project.rename", "description": "A project board was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", + "@timestamp", + "repo", + "_document_id", + "user_agent", + "org_id", + "business_id", + "actor", + "repo_id", + "org", + "business" + ] }, { "action": "project.unlink", "description": "A repository was unlinked from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "operation_type", + "actor", + "action", + "created_at", + "actor_id", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "org", + "org_id" + ] }, { "action": "project.update_org_permission", "description": "The project's base-level permission for all organization members was changed or removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" + ] }, { "action": "project.update_team_permission", "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org_id", + "operation_type", + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" + ] }, { "action": "project.update_user_permission", "description": "A user was added to or removed from a project board or had their permission level changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "operation_type", + "@timestamp", + "actor_id", + "user", + "user_agent", + "actor", + "created_at", + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" + ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verify", "description": "A user account's SSH key or a repository's deploy key was verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.change_merge_setting", "description": "Pull request merge options were changed for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", + "@timestamp", + "_document_id", + "actor_id", + "operation_type", + "action", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" }, { "action": "repo.create_actions_secret", "description": "A GitHub Actions secret was created for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { "action": "repo.pages_cname", "description": "A GitHub Pages custom domain was modified in a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "@timestamp", + "visibility", + "repo", + "repo_id", + "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", + "created_at", + "_document_id", + "action", + "operation_type", + "old_cname", + "programmatic_access_type" + ] }, { "action": "repo.pages_create", "description": "A GitHub Pages site was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "_document_id", + "user_id", + "visibility", + "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", + "actor", + "repo", + "programmatic_access_type" + ] }, { "action": "repo.pages_destroy", "description": "A GitHub Pages site was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "user_id", + "action", + "request_id", + "user", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", + "visibility", + "operation_type", + "repo_id", + "programmatic_access_type" + ] }, { "action": "repo.pages_https_redirect_disabled", "description": "HTTPS redirects were disabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "actor_id", + "repo_id", + "_document_id", + "user_agent", + "actor", + "visibility", + "user_id", + "request_id", + "repo", + "@timestamp", + "operation_type", + "action", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_https_redirect_enabled", "description": "HTTPS redirects were enabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "user_id", + "created_at", + "visibility", + "actor", + "actor_id", + "user", + "operation_type", + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" + ] }, { "action": "repo.pages_private", "description": "A GitHub Pages site visibility was changed to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_public", "description": "A GitHub Pages site visibility was changed to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete", "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete_restore", "description": "A GitHub Pages site that was previously soft-deleted was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_source", "description": "A GitHub Pages source was modified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "repo_id", + "user", + "_document_id", + "request_id", + "visibility", + "repo", + "created_at", + "action", + "programmatic_access_type" + ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.remove_integration_secret", "description": "A Codespaces or Dependabot secret was deleted for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "repo.remove_topic", "description": "A topic was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", + "actor", + "business", + "request_id", + "repo", + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" + ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { "action": "repo.restore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "action", + "_document_id", + "actor_id", + "user", + "operation_type", + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" + ] }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "repo.staff_unlock", "description": "An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "created_at", + "actor", + "repo_id", + "action", + "org", + "org_id", + "request_id", + "repo", + "operation_type" + ] }, { "action": "repo.temporary_access_granted", "description": "Temporary access was enabled for a repository.", "docs_reference_links": "/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing user-owned repositories in your enterprise" }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { "action": "repo.transfer_outgoing", "description": "A repository was transferred to another repository network.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.transfer_start", "description": "A user sent a request to transfer a repository to another user or organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "operation_type", + "user_id", + "request_id", + "user", + "action", + "user_agent", + "created_at", + "actor", + "visibility", + "repo_id", + "actor_id", + "repo", + "request_access_security_header" + ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.update_actions_access_settings", "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "old_policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.update_actions_settings", "description": "A repository administrator changed GitHub Actions policy settings for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.update_default_branch", "description": "The default branch for a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.update_member", "description": "A user's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "_document_id", + "actor", + "repo_id", + "created_at", + "oauth_application_id", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", + "visibility", + "old_permission", + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_image.create", "description": "An image to represent a repository was uploaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", + "action", + "request_id", + "actor", + "content_type", + "repo", + "@timestamp", + "_document_id", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "repository_image.destroy", "description": "An image to represent a repository was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", + "_document_id", + "actor", + "repo_id", + "user_agent", + "repo", + "user", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "repository_invitation.accept", "description": "An invitation to join a repository was accepted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "created_at", + "request_id", + "repo", + "invitee", + "operation_type", + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.cancel", "description": "An invitation to join a repository was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "inviter", + "action", + "operation_type", + "_document_id", + "repo_id", + "repo", + "@timestamp", + "user_agent", + "invitee", + "created_at", + "request_id", + "actor", + "actor_id", + "request_access_security_header" + ] }, { "action": "repository_invitation.create", "description": "An invitation to join a repository was sent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", + "repo", + "created_at", + "user_agent", + "repo_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.reject", "description": "An invitation to join a repository was declined.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "_document_id", + "actor", + "invitee", + "action", + "@timestamp", + "request_id", + "actor_id", + "operation_type", + "created_at", + "inviter", + "user_agent", + "repo_id" + ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { "action": "security_key.register", "description": "A security key was registered for an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "created_at", + "user_id", + "action", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user_agent", + "request_access_security_header" + ] }, { "action": "security_key.remove", "description": "A security key was removed from an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "operation_type", + "_document_id", + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "action", + "created_at", + "user", + "request_access_security_header" + ] }, { "action": "sponsors.agreement_sign", "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.fiscal_host_change", "description": "The fiscal host for a GitHub Sponsors listing was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_disable", "description": "A GitHub Sponsors account was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { "action": "sponsors.sponsored_developer_redraft", "description": "A GitHub Sponsors account was returned to draft state from approved state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id", + "actor", + "actor_id", + "user_id" + ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsored_developer_update_newsletter_send", "description": "Triggered when you send an email update to your sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors", + "fields": [ + "request_id", + "actor", + "action", + "user_agent", + "operation_type", + "_document_id", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { "action": "sponsors.update_tier_repository", "description": "A GitHub Sponsors tier changed access for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.update_tier_welcome_message", "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.waitlist_join", "description": "You join the waitlist to join GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "request_id", + "actor", + "user_id", + "user_agent", + "actor_id", + "action", + "operation_type", + "created_at", + "user", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.withdraw_agreement_signature", "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "successor_invitation.accept", "description": "Triggered when you accept a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.cancel", "description": "Triggered when you cancel a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.create", "description": "Triggered when you create a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.decline", "description": "Triggered when you decline a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "successor_invitation.revoke", "description": "Triggered when you revoke a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "trusted_device.register", "description": "A new trusted device was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "trusted_device.remove", "description": "A trusted device was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "two_factor_account_recovery.abort", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "action", + "request_id", + "user_id", + "@timestamp", + "_document_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "two_factor_account_recovery.complete", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "created_at", + "user_id", + "operation_type", + "user", + "_document_id", + "user_agent", + "action" + ] }, { "action": "two_factor_account_recovery.ignore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "created_at", + "user_id", + "operation_type", + "@timestamp", + "user", + "action" + ] }, { "action": "two_factor_account_recovery.staff_approve", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "action", + "_document_id" + ] }, { "action": "two_factor_account_recovery.staff_decline", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user", + "created_at", + "request_id", + "actor_id", + "_document_id" + ] }, { "action": "two_factor_account_recovery.start", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "user_id", + "action", + "_document_id", + "request_access_security_header" + ] }, { "action": "two_factor_account_recovery.two_factor_destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "user", + "_document_id", + "request_id" + ] }, { "action": "two_factor_authentication.add_factor", "description": "A secondary authentication factor was added to a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.disabled", "description": "Two-factor authentication was disabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/disabling-two-factor-authentication-for-your-personal-account", + "fields": [ + "actor", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "actor_id", + "created_at", + "operation_type", + "request_id", + "@timestamp", + "request_access_security_header" + ], "docs_reference_titles": "Disabling two-factor authentication for your personal account" }, { "action": "two_factor_authentication.enabled", "description": "Two-factor authentication was enabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "operation_type", + "user_agent", + "action", + "created_at", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Configuring two-factor authentication" }, { "action": "two_factor_authentication.password_reset_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user", + "user_id", + "action", + "@timestamp", + "request_id", + "_document_id", + "user_agent" + ] }, { "action": "two_factor_authentication.recovery_codes_regenerated", "description": "Two factor recovery codes were regenerated for a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "action", + "user", + "user_agent", + "actor_id", + "@timestamp", + "created_at" + ] }, { "action": "two_factor_authentication.remove_factor", "description": "A secondary authentication factor was removed from a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.sign_in_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "operation_type", + "user_id", + "user", + "user_agent", + "created_at", + "_document_id", + "action", + "@timestamp" + ] }, { "action": "two_factor_authentication.update_fallback", "description": "The two-factor authentication fallback for a user account was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "user", + "user_id", + "operation_type", + "user_agent", + "action", + "request_id", + "actor", + "actor_id" + ] }, { "action": "user.add_email", "description": "An email address was added to a user account.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account", + "fields": [ + "action", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "_document_id", + "actor_id", + "actor", + "email", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account" }, { "action": "user.async_delete", "description": "An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "created_at", + "user", + "@timestamp", + "_document_id", + "request_id", + "actor_id", + "operation_type", + "user_agent", + "action", + "request_access_security_header" + ] }, { "action": "user.audit_log_export", "description": "Audit log entries were exported.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "action", + "request_id", + "actor", + "@timestamp", + "_document_id", + "user_agent", + "user_id", + "operation_type", + "created_at" + ] }, { "action": "user.block_user", "description": "A user was blocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_id", + "_document_id", + "actor_id", + "@timestamp", + "user_agent", + "user", + "request_id", + "blocked_user", + "operation_type", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.change_password", "description": "A user changed their password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "actor", + "user", + "user_id", + "action", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.codespaces_trusted_repo_access_granted", "description": "Triggered when you allow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.codespaces_trusted_repo_access_revoked", "description": "Triggered when you disallow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.create", "description": "A new user account was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "email", + "user_id", + "operation_type", + "@timestamp", + "request_id", + "user", + "created_at", + "_document_id", + "user_agent", + "actor", + "actor_id", + "action", + "programmatic_access_type" + ] }, { "action": "user.create_integration_secret", "description": "A user secret for Codespaces was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.creation_rate_limit_exceeded", "description": "The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "user_agent", + "_document_id", + "operation_type", + "oauth_application_id", + "action", + "actor", + "actor_id", + "request_id", + "user_id", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.delete", "description": "A user account was destroyed by an asynchronous job.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "user_id", + "actor", + "actor_id", + "user", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.demote", "description": "A site administrator was demoted to an ordinary user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "oauth_application_id", + "action", + "user", + "created_at", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "_document_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.destroy", "description": "A user deleted his or her account, triggering user.async_delete.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "user", + "_document_id", + "created_at", + "user_agent", + "user_id", + "operation_type", + "actor_id", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.device_verification_failure", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user", + "user_agent", + "user_id", + "actor_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.device_verification_requested", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user_id", + "actor", + "operation_type", + "created_at", + "_document_id", + "@timestamp", + "user", + "actor_id", + "action", + "request_access_security_header" + ] }, { "action": "user.device_verification_success", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user", + "_document_id", + "action", + "operation_type", + "user_agent", + "created_at", + "request_id", + "actor", + "actor_id", + "user_id", + "request_access_security_header" + ] }, { "action": "user.disable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user_email.confirm_claim", "description": "An enterprise managed user claimed an email address.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "user_email.mark_as_unclaimed", "description": "N/A", "docs_reference_links": "An enterprise managed user unclaimed an email address.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "An, GitHub Help Documentation, managed, user, unclaimed, an, email, address." }, { "action": "user.enable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.failed_login", "description": "A user tried to sign in with an incorrect username, password, or two-factor authentication code.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "operation_type", + "request_id", + "created_at", + "_document_id", + "@timestamp", + "user", + "org_id", + "actor", + "actor_id", + "user_agent" + ] }, { "action": "user.forgot_password", "description": "A user requested a password reset.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials", + "fields": [ + "action", + "_document_id", + "user_agent", + "request_id", + "user", + "operation_type", + "@timestamp", + "email", + "created_at", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials" }, { "action": "user.grant_github_developer", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "created_at", + "user_agent", + "@timestamp", + "_document_id", + "user", + "user_id", + "actor", + "operation_type", + "request_id" + ] }, { "action": "user.hide_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.login", "description": "A user signed in.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user_id", + "actor_id", + "@timestamp", + "user", + "action", + "operation_type", + "_document_id", + "request_id", + "created_at", + "actor", + "passkey_nickname", + "request_access_security_header" + ] }, { "action": "user.logout", "description": "A user signed out.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.new_device_used", "description": "A user signed in from a new device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "action", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ] }, { "action": "user.promote", "description": "An ordinary user account was promoted to a site administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "actor", + "actor_id", + "user", + "@timestamp", + "created_at", + "user_agent", + "oauth_application_id", + "request_id", + "operation_type", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.recreate", "description": "A user's account was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user", + "action", + "actor_id", + "@timestamp", + "_document_id", + "request_id", + "user_id", + "created_at", + "actor", + "operation_type" + ] }, { "action": "user.remove_email", "description": "An email address was removed from a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "@timestamp", + "_document_id", + "request_id", + "user", + "user_id", + "operation_type", + "actor", + "actor_id", + "created_at", + "email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.remove_integration_secret", "description": "A user secret for Codespaces was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.rename", "description": "A username was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "request_id", + "actor_id", + "old_login", + "created_at", + "_document_id", + "actor", + "user_id", + "@timestamp", + "operation_type", + "user_agent", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.reset_password", "description": "A user reset their account password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "user", + "request_id", + "user_id", + "created_at", + "@timestamp", + "_document_id", + "actor", + "operation_type", + "request_access_security_header" + ] }, { "action": "user_session.country_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_id", + "action", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "user.show_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "@timestamp", + "_document_id", + "request_id", + "user_id", + "action", + "actor", + "user", + "operation_type", + "user_agent", + "actor_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.sign_in_from_unrecognized_device", "description": "A user signed in from an unrecognized device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "operation_type", + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.sign_in_from_unrecognized_device_and_location", "description": "A user signed in from an unrecognized device and location.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "request_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user_status.destroy", "description": "Triggered when you clear the status on your profile.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_id", + "actor", + "message", + "user", + "actor_id", + "created_at", + "request_id", + "limited_availability", + "action", + "emoji", + "operation_type", + "user_agent", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user_status.update", "description": "Triggered when you set or change the status on your profile.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status", + "fields": [ + "limited_availability", + "user", + "action", + "actor_id", + "message", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "emoji", + "org", + "actor", + "operation_type", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status" }, { "action": "user.suspend", "description": "A user account was suspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "operation_type", + "actor_id", + "user", + "user_agent", + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user_id", + "action", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.toggle_warn_private_email", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user", + "actor_id", + "@timestamp", + "operation_type", + "_document_id", + "user_agent", + "actor", + "action", + "user_id", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_failure", "description": "A 2FA challenge issued for a user account failed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "_document_id", + "user_agent", + "user", + "actor_id", + "actor", + "user_id", + "@timestamp", + "action", + "request_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_success", "description": "A 2FA challenge issued for a user account succeeded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_id", + "operation_type", + "actor_id", + "user", + "actor", + "user_agent", + "request_id", + "action", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_recover", "description": "A user used their 2FA recovery codes.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "user_agent", + "request_id", + "user", + "action", + "actor", + "actor_id", + "created_at", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_downloaded", "description": "A user downloaded 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "actor_id", + "user", + "request_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_printed", "description": "A user printed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "user_agent", + "request_id", + "user_id", + "created_at", + "_document_id", + "actor", + "actor_id", + "@timestamp" + ] }, { "action": "user.two_factor_recovery_codes_viewed", "description": "A user viewed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_agent", + "actor", + "user_id", + "action", + "created_at", + "user", + "operation_type", + "@timestamp", + "request_id", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_requested", "description": "A user was prompted for a two-factor authentication code.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication", + "fields": [ + "user", + "actor_id", + "action", + "user_agent", + "request_id", + "created_at", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "actor" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication" }, { "action": "user.unblock_user", "description": "A user was unblocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "_document_id", + "blocked_user", + "operation_type", + "actor", + "@timestamp", + "user_agent", + "user_id", + "user", + "created_at", + "request_access_security_header" + ] }, { "action": "user.unsuspend", "description": "A user account was unsuspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "user", + "action", + "user_agent", + "actor", + "oauth_application_id", + "operation_type", + "actor_id", + "created_at", + "@timestamp", + "user_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.update_integration_secret", "description": "A user secret for Codespaces was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.update_new_repository_default_branch_setting", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.bypass_protection_rules", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "workflows.comment_workflow_job", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { "action": "workflows.disable_workflow", "description": "A workflow was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.enable_workflow", "description": "A workflow was enabled, after previously being disabled by disable_workflow.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "workflows.pin_workflow", "description": "A workflow was pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.unpin_workflow", "description": "A workflow was unpinned after previously being pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/ghes-3.15/enterprise.json b/src/audit-logs/data/ghes-3.15/enterprise.json index fc5010c7b390..37f784631a30 100644 --- a/src/audit-logs/data/ghes-3.15/enterprise.json +++ b/src/audit-logs/data/ghes-3.15/enterprise.json @@ -2,4126 +2,16448 @@ { "action": "account.billing_date_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "operation_type", + "user_agent", + "_document_id", + "created_at", + "action", + "request_id", + "actor", + "actor_id", + "org_id" + ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { "action": "account_recovery_token.confirm", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "token_id", + "user_id", + "user", + "actor", + "operation_type" + ] }, { "action": "account_recovery_token.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "token_id", + "user", + "request_id", + "_document_id", + "user_agent", + "actor", + "user_id", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "account_recovery_token.recover", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "actor", + "user_agent", + "request_id", + "action", + "_document_id", + "user_id", + "token_id" + ] }, { "action": "actions_cache.delete", "description": "A GitHub Actions cache was deleted using the REST API.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "user_id", + "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "api.request", "description": "An API request was made to an endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests", + "fields": [ + "user_agent", + "request_id", + "request_method", + "query_string", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "request_body", + "status_code", + "url_path", + "business", + "business_id", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "route", + "rate_limit_remaining", + "actor_is_bot" + ], "docs_reference_titles": "Streaming the audit log for your enterprise" }, { "action": "artifact.destroy", "description": "A workflow run artifact was manually deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_agent", + "actor_id", + "repo", + "repo_id", + "request_id", + "@timestamp", + "created_at", + "_document_id", + "operation_type", + "programmatic_access_type" + ] }, { "action": "audit_log_streaming.check", "description": "A manual check of the endpoint configured for audit log streaming was performed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "audit_log_stream_result", + "business_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "audit_log_stream_sink_details", + "request_access_security_header" + ] }, { "action": "audit_log_streaming.create", "description": "An endpoint was added for audit log streaming.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business_id", + "business", + "audit_log_stream_sink", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "audit_log_stream_id" + ] }, { "action": "audit_log_streaming.destroy", "description": "An audit log streaming endpoint was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "audit_log_stream_id", + "audit_log_stream_sink_details" + ] }, { "action": "audit_log_streaming.update", "description": "An endpoint configuration was updated for audit log streaming, such as the stream was paused, enabled, or disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "audit_log_stream_enabled", + "business_id", + "business", + "audit_log_stream_sink", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "new_s3_bucket", + "old_s3_bucket", + "secrets_updated", + "new_s3_arn_role", + "old_s3_arn_role", + "new_azure_blob_container", + "old_azure_blob_container", + "new_event_hub_instance", + "old_event_hub_instance", + "new_splunk_domain", + "old_splunk_domain", + "ssl_verify", + "old_gc_bucket" + ] }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.lock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "@timestamp", + "actor_id", + "operation_type", + "_document_id", + "request_id", + "actor", + "user", + "user_id", + "user_agent", + "created_at", + "action" + ] }, { "action": "billing.unlock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "operation_type", + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "billing.update_bill_cycle_day", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.add_admin", "description": "An enterprise owner was added to an enterprise.", "docs_reference_links": "/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise", + "fields": [ + "name", + "business", + "user", + "user_id", + "@timestamp", + "created_at", + "actor", + "actor_id", + "action", + "operation_type", + "request_id", + "business_id", + "_document_id", + "user_agent", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Inviting people to manage your enterprise" }, { "action": "business.add_organization", "description": "An organization was added to an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "operation_type", + "@timestamp", + "actor", + "business_id", + "org", + "action", + "user_agent", + "actor_id", + "name", + "created_at", + "request_id", + "_document_id", + "business", + "organization_upgrade", + "request_access_security_header" + ] }, { "action": "business_advanced_security.disabled", "description": "GitHub Advanced Security was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.disabled_for_new_user_namespace_repos", "description": "GitHub Advanced Security was disabled for new user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.enabled", "description": "GitHub Advanced Security was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.enabled_for_new_user_namespace_repos", "description": "GitHub Advanced Security was enabled for new user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business.advanced_security_policy_update", "description": "An enterprise owner created, updated, or removed a policy for GitHub Advanced Security.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "business.advanced_security_repo_admin_enablement_policy_update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business_advanced_security.user_namespace_repos_disabled", "description": "GitHub Advanced Security was disabled for user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.user_namespace_repos_enabled", "description": "GitHub Advanced Security was enabled for user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business.clear_actions_settings", "description": "An enterprise owner or site administrator cleared GitHub Actions policy settings for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.clear_default_repository_permission", "description": "An enterprise owner cleared the base repository permission policy setting for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-base-repository-permissions", + "fields": [ + "name", + "operation_type", + "business_id", + "user_agent", + "actor_id", + "request_id", + "actor", + "_document_id", + "business", + "action", + "@timestamp", + "created_at" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.clear_members_can_create_repos", "description": "An enterprise owner cleared a restriction on repository creation in organizations in the enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#setting-a-policy-for-repository-creation", + "fields": [ + "user_agent", + "actor_id", + "business_id", + "action", + "_document_id", + "request_id", + "name", + "business", + "visibility", + "created_at", + "actor", + "operation_type", + "@timestamp" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.code_scanning_autofix_policy_update", "description": "The policy for Code scanning autofix was updated for an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.create", "description": "An enterprise was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "_document_id", + "action", + "@timestamp", + "request_id", + "name", + "business", + "business_id", + "operation_type", + "actor", + "created_at", + "user_agent", + "request_access_security_header" + ] }, { "action": "business_dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for new repositories in your enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business_dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for new repositories in your enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.dependabot_alerts_repo_admin_enablement_policy_update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.disable_open_scim", "description": "SCIM provisioning for custom integrations that use the REST API was disabled for the enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business.disable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the enterprise was disabled.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Displaying IP addresses in the audit log for your enterprise" }, { "action": "business.disable_two_factor_requirement", "description": "The requirement for members to have two-factor authentication enabled to access an enterprise was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "@timestamp", + "actor", + "business", + "operation_type", + "created_at", + "user_agent", + "business_id", + "actor_id", + "name", + "_document_id", + "request_id" + ] }, { "action": "business.enable_open_scim", "description": "SCIM provisioning for custom integrations that use the REST API was enabled for the enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.enable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the enterprise was enabled.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Displaying IP addresses in the audit log for your enterprise" }, { "action": "business.enable_two_factor_requirement", "description": "The requirement for members to have two-factor authentication enabled to access an enterprise was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "actor", + "operation_type", + "created_at", + "business", + "business_id", + "name", + "_document_id", + "request_id", + "@timestamp" + ] }, { "action": "business.members_can_update_protected_branches.clear", "description": "An enterprise owner unset a policy for whether members of an enterprise can update protected branches on repositories for individual organizations. Organization owners can choose whether to allow updating protected branches settings.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_id", + "business", + "name", + "operation_type", + "user", + "user_agent", + "business_id", + "_document_id" + ] }, { "action": "business.members_can_update_protected_branches.disable", "description": "The ability for enterprise members to update branch protection rules was disabled. Only enterprise owners can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "business.members_can_update_protected_branches.enable", "description": "The ability for enterprise members to update branch protection rules was enabled. Enterprise owners and members can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "actor", + "operation_type", + "_document_id", + "business_id", + "user", + "@timestamp", + "business", + "actor_id", + "created_at", + "action", + "user_agent", + "request_id", + "user_id" + ] }, { "action": "business.remove_admin", "description": "An enterprise owner was removed from an enterprise.", "docs_reference_links": "/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise", + "fields": [ + "actor", + "operation_type", + "user_agent", + "business", + "business_id", + "@timestamp", + "created_at", + "request_id", + "action", + "name", + "actor_id", + "user_id", + "_document_id", + "user" + ], "docs_reference_titles": "Inviting people to manage your enterprise" }, { "action": "business.remove_organization", "description": "An organization was removed from an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "action", + "business", + "actor", + "actor_id", + "request_id", + "created_at", + "user_agent", + "business_id", + "operation_type", + "@timestamp", + "_document_id", + "name", + "org" + ] }, { "action": "business.rename_slug", "description": "The slug for the enterprise URL was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "name", + "business_id", + "user_agent", + "action", + "actor_id", + "operation_type", + "actor", + "@timestamp", + "created_at", + "business", + "_document_id" + ] }, { "action": "business.revoke_sso_session", "description": "The SAML single sign-on session for a member in an enterprise was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "business_id", + "user_agent", + "request_id", + "user", + "operation_type", + "actor", + "_document_id", + "actor_id", + "name", + "@timestamp", + "user_id", + "action", + "created_at", + "business" + ] }, { "action": "business_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the business level", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the business level", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_custom_pattern.create", "description": "An enterprise-level custom pattern was created for secret scanning.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "business_secret_scanning_custom_pattern.delete", "description": "An enterprise-level custom pattern was removed from secret scanning.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business_secret_scanning_custom_pattern.publish", "description": "An enterprise-level custom pattern was published for secret scanning.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your enterprise.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "business_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your enterprise.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "business_secret_scanning_custom_pattern.update", "description": "Changes to an enterprise-level custom pattern were saved and a dry run was executed for secret scanning.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business_secret_scanning.disable", "description": "Secret scanning was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning.disabled_for_new_repos", "description": "Secret scanning was disabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning.enable", "description": "Secret scanning was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning.enabled_for_new_repos", "description": "Secret scanning was enabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the enterprise level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "business_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the enterprise level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "business_secret_scanning_push_protection_custom_message.disable", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_custom_message.enable", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_custom_message.update", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.disable", "description": "Push protection for secret scanning was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.disabled_for_new_repos", "description": "Push protection for secret scanning was disabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.enable", "description": "Push protection for secret scanning was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.enabled_for_new_repos", "description": "Push protection for secret scanning was enabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed", "description": "The push protection setting was changed for a secret type for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "secret_type", + "secret_type_display_name", + "push_protection_setting" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business.secret_scanning_repo_admin_settings_policy_update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business.set_actions_fork_pr_approvals_policy", "description": "The policy for requiring approvals for workflows from public forks was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "limit", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_fork_pr_workflows_policy", "description": "The policy for fork pull request workflows was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.sso_response", "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your enterprise. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "issuer", + "name", + "user_agent", + "action", + "@timestamp", + "_document_id", + "actor", + "business", + "business_id", + "actor_id", + "created_at", + "request_id", + "operation_type", + "request_access_security_header" + ] }, { "action": "business.update_actions_settings", "description": "An enterprise owner or site administrator updated GitHub Actions policy settings for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "updated_github_owned_allowed", + "updated_verified_allowed", + "updated_patterns", + "new_policy", + "old_policy", + "updated_access_policy" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.update_default_repository_permission", "description": "The base repository permission setting was updated for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-base-repository-permissions", + "fields": [ + "business_id", + "operation_type", + "user_agent", + "actor", + "actor_id", + "permission", + "action", + "created_at", + "@timestamp", + "request_id", + "name", + "_document_id", + "old_permission", + "business" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.update_member_repository_creation_permission", "description": "The repository creation setting was updated for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-creation", + "fields": [ + "created_at", + "_document_id", + "request_id", + "name", + "business_id", + "actor", + "actor_id", + "@timestamp", + "operation_type", + "permission", + "action", + "business", + "user_agent", + "visibility" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.update_member_repository_invitation_permission", "description": "The policy setting for enterprise members inviting outside collaborators to repositories was updated.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-inviting-outside-collaborators-to-repositories", + "fields": [ + "business_id", + "created_at", + "action", + "operation_type", + "@timestamp", + "request_id", + "permission", + "actor", + "actor_id", + "name", + "_document_id", + "user_agent", + "business" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.delete_logs", "description": "Logs in a check suite were deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "actor_id", + "operation_type", + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" + ] }, { "action": "code.search", "description": "A code search was run targeting an organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/search-github/github-code-search", + "fields": [ + "@timestamp", + "action", + "actor_id", + "business_id", + "query", + "org_id", + "user_id", + "_document_id", + "search_string" + ], "docs_reference_titles": "/search-github/github-code-search" }, { "action": "codespaces.allow_permissions", "description": "A codespace using custom permissions from its devcontainer.json file was launched.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "origin_repository", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.connect", "description": "Credentials for a codespace were refreshed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { "action": "codespaces.export_environment", "description": "A codespace was exported to a branch on GitHub.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "codespaces.restore", "description": "A codespace was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.start_environment", "description": "A codespace was started.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "org", + "owner", + "pull_request_id", + "machine_type", + "user_id", + "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "codespaces.suspend_environment", "description": "A codespace was stopped.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "copilot.cfb_seat_added", "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { "action": "copilot.cfb_seat_assignment_refreshed", "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_reused", "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_assignment_unassigned", "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "seat_assignment", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled_by_staff", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "custom_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_property_definition.create", "description": "A new custom property definition was created.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.destroy", "description": "A custom property definition was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id", + "allowed_values" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.update", "description": "A custom property definition was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "value_type", + "required", + "default_value", + "old_allowed_values", + "allowed_values", + "definition_id", + "old_required", + "old_default_value", + "old_value_type", + "old_values_editable_by", + "values_editable_by", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.create", "description": "A repository's custom property value was manually set for the first time.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "definition_id", + "property_name", + "value", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.destroy", "description": "A repository's custom property value was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.update", "description": "A repository's custom property value was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_repository_access.repositories_updated", "description": "The repositories that Dependabot can access were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates.enable", "description": "Dependabot security updates were enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates_new_repos.enable", "description": "Dependabot security updates were enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph.enable", "description": "The dependency graph was enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph_new_repos.enable", "description": "The dependency graph was enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "discussion_post.destroy", "description": "Triggered when a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "request_id", + "team", + "created_at", + "user_id", + "@timestamp", + "number", + "org", + "title", + "actor", + "actor_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.destroy", "description": "Triggered when a reply to a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "actor_id", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user_id", + "actor", + "number", + "user", + "created_at", + "request_id", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.update", "description": "Triggered when a reply to a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "action", + "_document_id", + "request_id", + "org", + "@timestamp", + "actor_id", + "operation_type", + "user", + "user_id", + "org_id", + "user_agent", + "actor", + "number", + "team", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "discussion_post.update", "description": "Triggered when a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "created_at", + "_document_id", + "title", + "user", + "user_agent", + "org", + "operation_type", + "actor_id", + "@timestamp", + "actor", + "team", + "action", + "org_id", + "request_id", + "user_id", + "number" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "enterprise_announcement.create", "description": "A global announcement banner was created for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global-announcement-banner", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.destroy", "description": "A global announcement banner was removed from the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.update", "description": "A global announcement banner was updated for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "old_message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "enterprise_domain.approve", "description": "A domain was approved for an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#approving-a-domain-for-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_domain.create", "description": "A domain was added to an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#verifying-a-domain-for-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_domain.destroy", "description": "A domain was removed from an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#removing-an-approved-or-verified-domain", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_domain.verify", "description": "A domain was verified for an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#verifying-a-domain-for-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise.register_self_hosted_runner", "description": "A new GitHub Actions self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "enterprise.remove_self_hosted_runner", "description": "A GitHub Actions self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "enterprise.runner_group_created", "description": "A GitHub Actions self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "enterprise.runner_group_removed", "description": "A GitHub Actions self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "enterprise.runner_group_runner_removed", "description": "The REST API was used to remove a GitHub Actions self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "enterprise.runner_group_runners_added", "description": "A GitHub Actions self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "enterprise.runner_group_runners_updated", "description": "A GitHub Actions runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "enterprise.runner_group_updated", "description": "The configuration of a GitHub Actions self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "enterprise.self_hosted_runner_offline", "description": "The GitHub Actions runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "business_id", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "enterprise.self_hosted_runner_online", "description": "The GitHub Actions runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "business_id", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "enterprise.self_hosted_runner_updated", "description": "The GitHub Actions runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "business_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "enterprise_team.add_member", "description": "A new member was added to the enterprise team or an IdP group linked to an enterprise team, or an IdP group was linked to an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "user", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "enterprise_team.copilot_assignment", "description": "A license for GitHub Copilot was assigned to an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "enterprise_team.copilot_unassignment", "description": "A license for GitHub Copilot was unassigned from an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "enterprise_team.create", "description": "A new enterprise team was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "enterprise_team.destroy", "description": "An enterprise team was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "enterprise_team.remove_member", "description": "A member was removed from the enterprise team or an IdP group linked to an enterprise team, or an IdP group was unlinked from an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "user", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "enterprise_team.rename", "description": "The name of an enterprise team was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.delete", "description": "An environment was deleted.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_secret", "description": "A secret was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "external_group.add_member", "description": "A user was added to an external group.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "external_group", + "external_group_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_group.delete", "description": "An external group was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "scim_group_id" + ] }, { "action": "external_group.link", "description": "An external group was linked to a GitHub team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "external_group_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "external_group", + "programmatic_access_type", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_group.provision", "description": "An external group was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "external_group.remove_member", "description": "A user was removed from an external group.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "external_group", + "external_group_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "external_group.scim_api_failure", "description": "Failed external group SCIM API request.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_group_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_group.scim_api_success", "description": "Successful external group SCIM API request. Excludes GET API requests.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_group.unlink", "description": "An external group was unlinked to a GitHub team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "external_group_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "external_group" + ] }, { "action": "external_group.update", "description": "An external group was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_group.update_display_name", "description": "An external group's display name was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "external_group_id", + "external_group", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_identity.deprovision", "description": "An external identity was deprovisioned, suspending the linked GitHub user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "external_identity.provision", "description": "An external identity was created and linked to a GitHub user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "action", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "scim_user_id", + "request_access_security_header" + ] }, { "action": "external_identity.scim_api_failure", "description": "Failed external identity SCIM API request.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_user_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_identity.scim_api_success", "description": "Successful external identity SCIM API request. Excludes GET API requests.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_identity.update", "description": "An external identity was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "action", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "scim_user_id", + "request_access_security_header" + ] }, { "action": "gist.create", "description": "A gist was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "user", + "gist_id", + "@timestamp", + "created_at", + "operation_type", + "user_agent", + "actor", + "actor_id", + "visibility", + "action", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "gist.destroy", "description": "A gist was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "gist_id", + "visibility", + "created_at", + "_document_id", + "user", + "request_id", + "operation_type", + "actor", + "actor_id", + "action", + "user_agent", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "gist.visibility_change", "description": "The visibility of a gist was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "user", + "gist_id", + "actor_id", + "request_id", + "visibility", + "user_id", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "git.clone", "description": "A repository was cloned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.fetch", "description": "Changes were fetched from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.push", "description": "Changes were pushed to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git_signing_ssh_public_key.create", "description": "An SSH key was added to a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "git_signing_ssh_public_key.delete", "description": "An SSH key was removed from a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "explanation", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "github_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "github_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "github_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "gpg_key.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "created_at", + "user_id", + "@timestamp", + "user", + "operation_type", + "_document_id", + "actor", + "action", + "user_agent", + "request_access_security_header" + ] }, { "action": "gpg_key.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor", + "actor_id", + "user", + "action", + "created_at", + "_document_id", + "user_agent", + "@timestamp", + "request_access_security_header" + ] }, { "action": "hook.active_changed", "description": "A hook's active status was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "hook.config_changed", "description": "A hook's configuration was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "name", + "org", + "user_agent", + "request_id", + "hook_id", + "repo", + "repo_id", + "created_at", + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { "action": "hook.destroy", "description": "A hook was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", + "operation_type", + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.events_changed", "description": "A hook's configured events were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "operation_type", + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "integration.create", "description": "A GitHub App was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "@timestamp", + "actor", + "user_agent", + "actor_id", + "request_id", + "name", + "user_id", + "_document_id", + "integration", + "created_at", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration.destroy", "description": "A GitHub App was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "actor_id", + "request_id", + "@timestamp", + "name", + "integration", + "user", + "_document_id", + "action", + "operation_type", + "created_at", + "user_agent" + ] }, { "action": "integration.generate_client_secret", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { "action": "integration.remove_client_secret", "description": "A client secret for a GitHub App was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "integration.revoke_all_tokens", "description": "All user tokens for a GitHub App were requested to be revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.revoke_tokens", "description": "Token(s) for a GitHub App were revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" }, { "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "ip_allow_list.disable", "description": "An IP allow list was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "actor", + "request_id", + "org", + "user_agent", + "_document_id", + "user_id", + "actor_id", + "created_at", + "org_id", + "action", + "@timestamp", + "user" + ] }, { "action": "ip_allow_list.disable_for_installed_apps", "description": "An IP allow list was disabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list.disable_user_level_enforcement", "description": "IP allow list user level enforcement was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ip_allow_list.enable", "description": "An IP allow list was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "business", + "user_id", + "request_id", + "actor", + "user", + "business_id", + "_document_id", + "action", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "org", + "created_at" + ] }, { "action": "ip_allow_list.enable_for_installed_apps", "description": "An IP allow list was enabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list.enable_user_level_enforcement", "description": "IP allow list user level enforcement was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ip_allow_list_entry.create", "description": "An IP address was added to an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "active", + "org", + "ip_allow_list_entry", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "actor_id", + "business_id", + "org_id", + "business", + "actor", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.destroy", "description": "An IP address was deleted from an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "ip_allow_list_entry", + "org", + "operation_type", + "created_at", + "active", + "action", + "@timestamp", + "business", + "business_id", + "user_agent", + "org_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.update", "description": "An IP address or its description was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "actor", + "org", + "action", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "ip_allow_list_entry", + "active", + "org_id", + "@timestamp" + ] }, { "action": "marketplace_agreement_signature.create", "description": "The GitHub Marketplace Developer Agreement was signed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "actor_id", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "created_at", + "action", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "marketplace_listing.approve", "description": "A listing was approved for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "secondary_category", + "actor", + "primary_category", + "user", + "@timestamp", + "_document_id", + "user_id", + "user_agent", + "operation_type", + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" + ] }, { "action": "marketplace_listing.change_category", "description": "A category for a listing for an app in GitHub Marketplace was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", + "@timestamp", + "integration", + "org_id", + "action", + "org", + "secondary_category", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ] }, { "action": "marketplace_listing.create", "description": "A listing for an app in GitHub Marketplace was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", + "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", + "actor", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "marketplace_listing.delist", "description": "A listing was removed from GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "created_at", + "secondary_category", + "operation_type", + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" + ] }, { "action": "marketplace_listing_plan.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "actor", + "action", + "operation_type", + "marketplace_listing", + "has_free_trial", + "user_agent", + "request_id", + "actor_id", + "yearly_price_in_cents", + "description", + "bullets", + "monthly_price_in_cents", + "marketplace_listing_plan", + "_document_id" + ] }, { "action": "marketplace_listing_plan.publish", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "marketplace_listing_plan", + "marketplace_listing", + "description", + "bullets", + "has_free_trial", + "created_at", + "actor_id", + "operation_type", + "_document_id", + "action", + "user_agent", + "request_id", + "actor", + "monthly_price_in_cents", + "yearly_price_in_cents", + "@timestamp" + ] }, { "action": "marketplace_listing_plan.retire", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "marketplace_listing_plan", + "_document_id", + "request_id", + "description", + "yearly_price_in_cents", + "@timestamp", + "created_at", + "actor_id", + "bullets", + "has_free_trial", + "marketplace_listing", + "user_agent", + "monthly_price_in_cents", + "action", + "operation_type" + ] }, { "action": "marketplace_listing_plan.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "monthly_price_in_cents", + "marketplace_listing", + "_document_id", + "action", + "description", + "bullets", + "yearly_price_in_cents", + "request_id", + "actor_id", + "has_free_trial", + "marketplace_listing_plan", + "user_agent", + "@timestamp", + "operation_type", + "actor", + "created_at" + ] }, { "action": "marketplace_listing.redraft", "description": "A listing was sent back to draft state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", + "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", + "actor", + "created_at", + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" + ] }, { "action": "marketplace_listing.reject", "description": "A listing was not accepted for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "merge_queue.pull_request_dequeued", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "merge_queue.pull_request_queue_jump", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.queue_cleared", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.update_settings", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "metered_billing_configuration.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "_document_id", + "user_id", + "action", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "metered_billing_configuration.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "metered_billing_configuration.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "org", + "created_at", + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" + ] }, { "action": "migration.create", "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org_id", + "_document_id", + "org", + "repo_id", + "action", + "actor", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "oauth_access.create", "description": "An OAuth access token was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, /authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token", + "fields": [ + "_document_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "user", + "user_id", + "created_at", + "action", + "actor_id", + "request_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, Managing your personal access tokens" }, { "action": "oauth_access.destroy", "description": "An OAuth access token was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps", + "fields": [ + "@timestamp", + "user_agent", + "action", + "operation_type", + "_document_id", + "actor", + "created_at", + "user", + "user_id", + "request_id", + "explanation", + "hashed_token", + "actor_id", + "token_scopes", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_access.regenerate", "description": "An OAuth access token was regenerated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "_document_id", + "created_at", + "@timestamp", + "operation_type", + "action", + "user_agent", + "request_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "oauth_application_name" + ] }, { "action": "oauth_access.update", "description": "An OAuth access token was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "action", + "@timestamp", + "user", + "user_agent", + "request_access_security_header" + ] }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.generate_client_secret", "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.suspend", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user_agent", + "org_id", + "org", + "operation_type", + "oauth_application_id", + "action", + "created_at", + "actor", + "actor_id", + "oauth_application", + "_document_id", + "request_id" + ] }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.unsuspend", "description": "An OAuth application was unsuspended for a user or organization account.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "operation_type", + "org_id", + "action", + "oauth_application_id", + "oauth_application", + "org", + "created_at", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_authorization.create", "description": "An authorization for an OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "operation_type", + "user_agent", + "user_id", + "actor", + "org_id", + "_document_id", + "request_id", + "action", + "@timestamp", + "created_at", + "actor_id", + "user", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_authorization.destroy", "description": "An authorization for an OAuth application was deleted.", "docs_reference_links": "/apps/using-github-apps/reviewing-your-authorized-integrations", + "fields": [ + "user_agent", + "_document_id", + "request_id", + "operation_type", + "@timestamp", + "actor", + "created_at", + "explanation", + "user", + "user_id", + "org_id", + "action", + "actor_id", + "token_scopes", + "actor_is_bot", + "oauth_application_name" + ], "docs_reference_titles": "Reviewing and revoking authorization of GitHub Apps" }, { "action": "oauth_authorization.update", "description": "An authorization for an OAuth application was updated.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "org_id", + "request_id", + "user_id", + "actor", + "actor_id", + "user_agent", + "@timestamp", + "operation_type", + "action", + "user", + "created_at", + "_document_id", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "org.accept_business_invitation", "description": "An invitation sent to an organization to join an enterprise was accepted.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.add_billing_manager", "description": "A billing manager was added to an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization", + "fields": [ + "operation_type", + "_document_id", + "user_agent", + "org", + "user_id", + "action", + "created_at", + "org_id", + "user", + "actor", + "actor_id", + "@timestamp", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization" }, { "action": "org.add_member", "description": "A user joined an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "permission", + "_document_id", + "org", + "operation_type", + "request_id", + "actor", + "user", + "@timestamp", + "created_at", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "org.add_outside_collaborator", "description": "An outside collaborator was added to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "inviter", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.add_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.advanced_security_disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_disabled_on_all_repos", "description": "GitHub Advanced Security was disabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_on_all_repos", "description": "GitHub Advanced Security was enabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_policy_selected_member_disabled", "description": "An enterprise owner prevented GitHub Advanced Security features from being enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_enabled", "description": "An enterprise owner allowed GitHub Advanced Security features to be enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.async_delete", "description": "A user initiated a background job to delete an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "request_id", + "org", + "org_id", + "user_agent", + "created_at" + ] }, { "action": "org.billing_signup_error", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_agent", + "action", + "@timestamp", + "actor_id", + "org_id", + "_document_id", + "actor", + "org", + "operation_type" + ] }, { "action": "org.block_user", "description": "An organization owner blocked a user from accessing the organization's repositories.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization", + "fields": [ + "actor", + "user_agent", + "org_id", + "created_at", + "_document_id", + "blocked_user", + "action", + "operation_type", + "actor_id", + "org", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization" }, { "action": "org.cancel_business_invitation", "description": "An invitation for an organization to join an enterprise was revoked", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "initiated_from" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.cancel_invitation", "description": "An invitation sent to a user to join an organization was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "org_id", + "request_id", + "email", + "@timestamp", + "actor", + "action", + "operation_type", + "user_agent", + "org", + "invitation_id", + "_document_id", + "created_at", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.clear_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "org.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.codeql_disabled", "description": "Code scanning using the default setup was disabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codeql_enabled", "description": "Code scanning using the default setup was enabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.config.disable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "request_id", + "org", + "action", + "operation_type", + "_document_id", + "actor", + "actor_id", + "@timestamp", + "user_agent", + "org_id", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "operation_type", + "@timestamp", + "created_at", + "user_agent", + "action", + "actor_id", + "org", + "_document_id", + "actor", + "org_id", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "_document_id", + "operation_type", + "actor_id", + "org_id", + "action", + "created_at", + "actor", + "org", + "@timestamp", + "user_agent", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "actor", + "org", + "org_id", + "request_id", + "operation_type", + "action", + "user_agent" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor", + "actor_id", + "org_id", + "action", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "org", + "created_at", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor_id", + "request_id", + "action", + "created_at", + "user_agent", + "actor", + "_document_id", + "org_id", + "operation_type", + "org", + "@timestamp" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.confirm_business_invitation", "description": "An invitation for an organization to join an enterprise was confirmed.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.create", "description": "An organization was created.", "docs_reference_links": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch", + "fields": [ + "request_id", + "org", + "actor_id", + "actor", + "action", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "org_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch" }, { "action": "org.delete", "description": "An organization was deleted by a user or staff.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "@timestamp", + "_document_id", + "created_at", + "actor", + "org_id", + "org", + "action", + "actor_id", + "operation_type", + "request_id", + "request_access_security_header" + ] }, { "action": "org.disable_member_team_creation_permission", "description": "Team creation was limited to owners.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "actor", + "@timestamp", + "_document_id", + "user", + "user_id", + "action", + "created_at", + "actor_id", + "user_agent", + "org", + "org_id", + "operation_type", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.disable_reader_discussion_creation_permission", "description": "An organization owner limited discussion creation to users with at least triage permission in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.disable_saml", "description": "SAML single sign-on was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "sso_url", + "issuer", + "action", + "@timestamp", + "_document_id", + "created_at", + "org", + "operation_type" + ] }, { "action": "org.disable_two_factor_requirement", "description": "A two-factor authentication requirement was disabled for the organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "org_id", + "action", + "actor", + "actor_id", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "user_agent" + ] }, { "action": "org.display_commenter_full_name_disabled", "description": "An organization owner disabled the display of a commenter's full name in an organization. Members cannot see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "user", + "action", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "user_agent", + "org", + "actor_id", + "org_id", + "request_id" + ] }, { "action": "org.display_commenter_full_name_enabled", "description": "An organization owner enabled the display of a commenter's full name in an organization. Members can see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_agent", + "request_id", + "actor", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "user", + "action", + "actor_id", + "org_id" + ] }, { "action": "org.enable_member_team_creation_permission", "description": "Team creation by members was allowed.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "org_id", + "user", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "user_agent", + "actor_id", + "org", + "request_id", + "action", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.enable_reader_discussion_creation_permission", "description": "An organization owner allowed users with read access to create discussions in an organization", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.enable_saml", "description": "SAML single sign-on was enabled for the organization.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization", + "fields": [ + "actor_id", + "action", + "operation_type", + "actor", + "sso_url", + "org", + "created_at", + "@timestamp", + "issuer", + "org_id", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Enabling and testing SAML single sign-on for your organization" }, { "action": "org.enable_two_factor_requirement", "description": "Two-factor authentication is now required for the organization.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "actor_id", + "action", + "_document_id", + "org", + "@timestamp", + "actor", + "user_agent", + "org_id", + "operation_type", + "created_at", + "request_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.integration_manager_added", "description": "An organization owner granted a member access to manage all GitHub Apps owned by an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "org_id", + "manager", + "@timestamp", + "request_id", + "actor", + "operation_type", + "_document_id", + "actor_id", + "org", + "action", + "created_at" + ] }, { "action": "org.integration_manager_removed", "description": "An organization owner removed access to manage all GitHub Apps owned by an organization from an organization member.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "@timestamp", + "org", + "user_agent", + "request_id", + "action", + "actor", + "actor_id", + "manager", + "operation_type", + "created_at", + "_document_id" + ] }, { "action": "org.invite_member", "description": "A new user was invited to join an organization.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization", + "fields": [ + "org", + "user_id", + "invitation_id", + "org_id", + "user", + "action", + "operation_type", + "_document_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "actor_id", + "request_id", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization" }, { "action": "org.invite_to_business", "description": "An organization was invited to join an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.members_can_update_protected_branches.disable", "description": "The ability for enterprise members to update protected branches was disabled. Only enterprise owners can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "org.members_can_update_protected_branches.enable", "description": "The ability for enterprise members to update protected branches was enabled. Members of an organization can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "org_id", + "user_agent", + "actor_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "request_id", + "_document_id", + "actor", + "user", + "action" + ] }, { "action": "org.rate_limited_invites", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "org_id", + "action", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org" + ] }, { "action": "org.recreate", "description": "An organization was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "action", + "operation_type", + "_document_id", + "user_agent", + "actor_id", + "@timestamp", + "request_id", + "actor", + "org_id" + ] }, { "action": "org.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization", + "fields": [ + "actor", + "operation_type", + "@timestamp", + "_document_id", + "request_id", + "org", + "org_id", + "action", + "created_at", + "user_agent", + "actor_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "org.remove_billing_manager", "description": "A billing manager was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "user_id", + "user_agent", + "org_id", + "user", + "action", + "_document_id", + "operation_type", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "created_at" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.remove_member", "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "actor_id", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", + "created_at", + "user", + "operation_type", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.remove_outside_collaborator", "description": "An outside collaborator was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user", + "org_id", + "created_at", + "request_id", + "@timestamp", + "action", + "operation_type", + "user_agent", + "_document_id", + "actor", + "actor_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "org.remove_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization", + "fields": [ + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor_id", + "org", + "created_at", + "actor", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "org.rename", "description": "An organization was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "@timestamp", + "org", + "action", + "actor", + "old_login", + "org_id", + "request_id", + "actor_id", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "org.restore_member", "description": "An organization member was restored.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization", + "fields": [ + "user", + "actor", + "user_id", + "_document_id", + "action", + "created_at", + "org_id", + "operation_type", + "request_id", + "@timestamp", + "user_agent", + "org", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization" }, { "action": "org.runner_group_created", "description": "A self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_removed", "description": "A self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runner_removed", "description": "The REST API was used to remove a self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "org.runner_group_runners_added", "description": "A self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runners_updated", "description": "A runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "org.runner_group_updated", "description": "The configuration of a self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_disabled", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_enabled", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_updated", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_disable", "description": "Push protection for secret scanning was disabled.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_enable", "description": "Push protection for secret scanning was enabled.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_disable", "description": "Push protection for secret scanning was disabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_enable", "description": "Push protection for secret scanning was enabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed", "description": "The push protection setting was changed for a secret type for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "secret_type", + "secret_type_display_name", + "push_protection_setting" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "org.security_center_export_coverage", "description": "A CSV export was requested on the Coverage page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_overview_dashboard", "description": "A CSV export was requested on the Overview Dashboard page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_risk", "description": "A CSV export was requested on the Risk page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "org_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { "action": "org.set_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "org_id", + "operation_type", + "actor", + "actor_id", + "@timestamp", + "request_id", + "created_at", + "org", + "action" + ] }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "org.sso_response", "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "user_agent", + "actor", + "actor_id", + "org_id", + "@timestamp", + "org", + "issuer", + "business", + "operation_type", + "created_at", + "request_id", + "business_id", + "_document_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.transform", "description": "A user account was converted into an organization.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/converting-a-user-into-an-organization", + "fields": [ + "actor", + "_document_id", + "request_id", + "operation_type", + "actor_id", + "org_id", + "org", + "action", + "@timestamp", + "created_at", + "user_agent", + "owner", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/converting-a-user-into-an-organization" }, { "action": "org.unblock_user", "description": "A user was unblocked from an organization.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization", + "fields": [ + "oauth_application_id", + "_document_id", + "blocked_user", + "action", + "operation_type", + "@timestamp", + "request_id", + "created_at", + "actor", + "actor_id", + "org", + "org_id", + "user_agent" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization" }, { "action": "org.update_actions_settings", "description": "An organization owner or site administrator updated GitHub Actions policy settings for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "updated_allowed_types", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization" }, { "action": "org.update_default_repository_permission", "description": "The default repository permission level for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "operation_type", + "created_at", + "org", + "org_id", + "request_id", + "@timestamp", + "user_agent", + "permission", + "actor_id", + "old_permission", + "_document_id", + "programmatic_access_type" + ] }, { "action": "org.update_member", "description": "A person's role was changed from owner to member or member to owner.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "org_id", + "created_at", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "actor_id", + "old_permission", + "permission", + "actor", + "user_agent", + "operation_type", + "org" + ] }, { "action": "org.update_member_repository_creation_permission", "description": "The create repository permission for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "@timestamp", + "request_id", + "actor_id", + "permission", + "created_at", + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" + ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "org.update_saml_provider_settings", "description": "An organization's SAML provider settings were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "sso_url", + "actor_id", + "operation_type", + "@timestamp", + "issuer", + "org", + "_document_id", + "actor", + "org_id", + "created_at", + "request_id", + "action" + ] }, { "action": "org.update_terms_of_service", "description": "An organization changed between the Standard Terms of Service and the GitHub Customer Agreement.", "docs_reference_links": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement", + "fields": [ + "request_id", + "org_id", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org", + "action", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement" }, { "action": "organization_domain.approve", "description": "A domain was approved for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization" }, { "action": "organization_domain.create", "description": "A domain was added to an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "created_at", + "_document_id", + "domain_name", + "action", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "user_agent", + "actor" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "organization_domain.destroy", "description": "A domain was removed from an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain", + "fields": [ + "action", + "domain_name", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "created_at" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain" }, { "action": "organization_domain.verify", "description": "A domain was verified for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "operation_type", + "domain_name", + "@timestamp", + "user_agent", + "request_id", + "actor", + "action", + "created_at", + "_document_id", + "actor_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "packages.package_deleted", "description": "An entire package was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_published", "description": "A package was published or republished to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "ecosystem", + "version_count", + "is_republished", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "packages.package_version_deleted", "description": "A specific package version was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "version", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "ecosystem", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_version_published", "description": "A specific package version was published or republished to a package.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "ecosystem", + "package", + "version", + "actor_id", + "user_agent", + "is_republished", + "actor", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "passkey.register", "description": "A new passkey was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "passkey.remove", "description": "A new passkey was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "payment_method.create", "description": "A new payment method was added, such as a new credit card or PayPal account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", + "_document_id", + "action", + "actor", + "actor_id", + "@timestamp", + "created_at", + "request_access_security_header" + ] }, { "action": "payment_method.remove", "description": "A payment method was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", + "operation_type", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "payment_method.update", "description": "An existing payment method was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", + "@timestamp", + "action", + "actor", + "org", + "user_agent", + "_document_id", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.create", "description": "Triggered when you create a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "personal_access_token.credential_regenerated", "description": "Triggered when you regenerate a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.credential_revoked", "description": "A fine-grained personal access token was revoked by GitHub Advanced Security.", "docs_reference_links": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users", + "fields": [ + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users" }, { "action": "personal_access_token.destroy", "description": "Triggered when you delete a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "explanation", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.update", "description": "A fine-grained personal access token was updated.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens" }, { "action": "premium_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { "action": "project.access", "description": "A project board visibility was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "user_agent", + "operation_type", + "user", + "created_at", + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" + ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { "action": "project_collaborator.add", "description": "A collaborator was added to a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "org", + "org_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "public_project", + "project_name", + "project_role", + "old_project_role", + "request_access_security_header" + ] }, { "action": "project_collaborator.remove", "description": "A collaborator was removed from a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project_collaborator.update", "description": "A project collaborator's permission level was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "public_project", + "project_name", + "collaborator_type", + "project_role", + "old_project_role", + "project_id", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project.create", "description": "A project board was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user", + "_document_id", + "request_id", + "user_id", + "user_agent", + "@timestamp", + "actor_id", + "action", + "created_at", + "actor" + ] }, { "action": "project.delete", "description": "A project board was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "actor_id", + "operation_type", + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" + ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { "action": "project.link", "description": "A repository was linked to a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "action", + "actor_id", + "org_id", + "user_agent", + "request_id", + "actor", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" + ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { "action": "project.rename", "description": "A project board was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", + "@timestamp", + "repo", + "_document_id", + "user_agent", + "org_id", + "business_id", + "actor", + "repo_id", + "org", + "business" + ] }, { "action": "project.unlink", "description": "A repository was unlinked from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "operation_type", + "actor", + "action", + "created_at", + "actor_id", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "org", + "org_id" + ] }, { "action": "project.update_org_permission", "description": "The project's base-level permission for all organization members was changed or removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" + ] }, { "action": "project.update_team_permission", "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org_id", + "operation_type", + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" + ] }, { "action": "project.update_user_permission", "description": "A user was added to or removed from a project board or had their permission level changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "operation_type", + "@timestamp", + "actor_id", + "user", + "user_agent", + "actor", + "created_at", + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" + ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project.visibility_private", "description": "A project's visibility was changed from public to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name" + ] }, { "action": "project.visibility_public", "description": "A project's visibility was changed from private to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name", + "request_access_security_header" + ] }, { "action": "protected_branch.authorized_users_teams", "description": "The users, teams, or integrations allowed to bypass a branch protection were changed.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "fields": [ + "repo", + "action", + "org_id", + "user_agent", + "name", + "created_at", + "_document_id", + "operation_type", + "actor", + "repo_id", + "org", + "request_id", + "actor_id", + "oauth_application_id", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches" }, { "action": "protected_branch.branch_allowances", "description": "A protected branch allowance was given to a specific user, team or integration.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "name", + "authorized_actors", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "protected_branch.create", "description": "Branch protection was enabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "repo_id", + "user_id", + "@timestamp", + "user_agent", + "repo", + "name", + "org_id", + "user", + "_document_id", + "request_id", + "actor", + "actor_id", + "org", + "action", + "created_at", + "authorized_actor_names", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.destroy", "description": "Branch protection was disabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "repo", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "repo_id", + "org_id", + "operation_type", + "action", + "user_agent", + "created_at", + "_document_id", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.dismiss_stale_reviews", "description": "Enforcement of dismissing stale pull requests was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "dismiss_stale_reviews_on_push", + "org_id", + "action", + "created_at", + "request_id", + "_document_id", + "@timestamp", + "actor_id", + "repo_id", + "operation_type", + "actor", + "repo", + "org", + "name", + "programmatic_access_type" + ] }, { "action": "protected_branch.dismissal_restricted_users_teams", "description": "Enforcement of restricting users and/or teams who can dismiss reviews was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "actor", + "oauth_application_id", + "authorized_actors_only", + "authorized_actors", + "created_at", + "user_agent", + "name", + "_document_id", + "org_id", + "request_id", + "@timestamp", + "actor_id", + "org", + "action", + "operation_type", + "programmatic_access_type" + ] }, { "action": "protected_branch.policy_override", "description": "A branch protection requirement was overridden by a repository administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "created_at", + "actor", + "reasons", + "@timestamp", + "before", + "after", + "actor_id", + "repo", + "operation_type", + "user_agent", + "branch", + "overridden_codes", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "referrer", + "business", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "rule_suite_id" + ] }, { "action": "protected_branch.rejected_ref_update", "description": "A branch update attempt was rejected.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "@timestamp", + "created_at", + "_document_id", + "business", + "org_id", + "operation_type", + "request_id", + "repo_id", + "actor", + "branch", + "before", + "overridden_codes", + "after", + "action", + "reasons", + "actor_id", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "actor_is_bot", + "rule_suite_id" + ] }, { "action": "protected_branch.update_admin_enforced", "description": "Branch protection was enforced for repository administrators.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "admin_enforced", + "operation_type", + "user_agent", + "actor", + "org", + "name", + "repo", + "@timestamp", + "action", + "repo_id", + "org_id", + "_document_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_allow_deletions_enforcement_level", "description": "Branch deletion was enabled or disabled for a protected branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "operation_type", + "request_id", + "repo", + "@timestamp", + "org_id", + "org", + "action", + "allow_deletions_enforcement_level", + "_document_id", + "created_at", + "actor_id", + "user_agent", + "actor", + "repo_id", + "request_access_security_header" + ] }, { "action": "protected_branch.update_allow_force_pushes_enforcement_level", "description": "Force pushes were enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "actor_id", + "name", + "_document_id", + "actor", + "repo", + "operation_type", + "request_id", + "allow_force_pushes_enforcement_level", + "@timestamp", + "org", + "action", + "created_at", + "user_agent", + "repo_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_ignore_approvals_from_contributors", "description": "Ignoring of approvals from contributors to a pull request was enabled or disabled for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "ignore_approvals_from_contributors", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "protected_branch.update_linear_history_requirement_enforcement_level", "description": "Required linear commit history was enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "operation_type", + "actor", + "linear_history_requirement_enforcement_level", + "repo", + "request_id", + "name", + "org_id", + "repo_id", + "org", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_lock_allows_fetch_and_merge", "description": "Fork syncing was enabled or disabled for a read-only branch", "docs_reference_links": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "lock_allows_fetch_and_merge", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_lock_branch_enforcement_level", "description": "The enforcement of a branch lock was updated.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "enforcement_level", + "lock_branch_enforcement_level", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { "action": "protected_branch.update_name", "description": "A branch name pattern was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "old_name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "protected_branch.update_pull_request_reviews_enforcement_level", "description": "Enforcement of required pull request reviews was updated for a branch. Can be 0 (deactivated), 1 (non-admins), or 2 (everyone).", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "org_id", + "_document_id", + "actor_id", + "@timestamp", + "business_id", + "request_id", + "pull_request_reviews_enforcement_level", + "org", + "repo", + "action", + "business", + "user_agent", + "created_at", + "repo_id", + "operation_type", + "actor", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_code_owner_review", "description": "Enforcement of required code owner review was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "created_at", + "require_code_owner_review", + "operation_type", + "name", + "user_agent", + "action", + "@timestamp", + "actor", + "actor_id", + "repo", + "request_id", + "org", + "repo_id", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_last_push_approval", "description": "Someone other than the person who pushed the last code-modifying commit to the branch must approve pull requests for the branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "require_last_push_approval", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging" }, { "action": "protected_branch.update_required_approving_review_count", "description": "Enforcement of the required number of approvals before merging was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "required_approving_review_count", + "repo", + "request_id", + "repo_id", + "created_at", + "actor", + "operation_type", + "user_agent", + "name", + "org_id", + "action", + "actor_id", + "_document_id", + "org", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_required_status_checks_enforcement_level", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "user_agent", + "@timestamp", + "_document_id", + "name", + "repo", + "action", + "business_id", + "repo_id", + "business", + "actor_id", + "operation_type", + "created_at", + "request_id", + "required_status_checks_enforcement_level", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_signature_requirement_enforcement_level", "description": "Enforcement of required commit signing was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "name", + "@timestamp", + "created_at", + "_document_id", + "request_id", + "repo_id", + "org", + "org_id", + "action", + "actor", + "actor_id", + "signature_requirement_enforcement_level", + "repo", + "user_agent", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_strict_required_status_checks_policy", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "_document_id", + "org", + "@timestamp", + "created_at", + "repo_id", + "org_id", + "user_agent", + "name", + "actor", + "repo", + "operation_type", + "action", + "strict_required_status_checks_policy", + "programmatic_access_type" + ] }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verify", "description": "A user account's SSH key or a repository's deploy key was verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "pull_request.close", "description": "A pull request was closed without being merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request" }, { "action": "pull_request.converted_to_draft", "description": "A pull request was converted to a draft.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft" }, { "action": "pull_request.create", "description": "A pull request was created.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request" }, { "action": "pull_request.create_review_request", "description": "A review was requested on a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.in_progress", "description": "A pull request was marked as in progress.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "pull_request.indirect_merge", "description": "A pull request was considered merged because the pull request's commits were merged into the target branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request.merge", "description": "A pull request was merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request" }, { "action": "pull_request.ready_for_review", "description": "A pull request was marked as ready for review.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review" }, { "action": "pull_request.rebase", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "pull_request_url", + "pull_request_title", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request.remove_review_request", "description": "A review request was removed from a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.reopen", "description": "A pull request was reopened after previously being closed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.create", "description": "A review comment was added to a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "comment_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request_review_comment.delete", "description": "A review comment on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "actor", + "@timestamp", + "_document_id", + "repo", + "created_at", + "request_id", + "comment_id", + "actor_id", + "repo_id", + "action", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.update", "description": "A review comment on a pull request was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "request_id", + "actor_id", + "action", + "created_at", + "actor", + "_document_id", + "@timestamp", + "comment_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review.delete", "description": "A review on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request_review.dismiss", "description": "A review on a pull request was dismissed.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review" }, { "action": "pull_request_review.submit", "description": "A review on a pull request was submitted.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.change_merge_setting", "description": "Pull request merge options were changed for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", + "@timestamp", + "_document_id", + "actor_id", + "operation_type", + "action", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { "action": "repo.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { "action": "repo.codeql_disabled", "description": "Code scanning using the default setup was disabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_enabled", "description": "Code scanning using the default setup was enabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "query_suite", + "threat_model", + "languages", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_updated", "description": "Code scanning using the default setup was updated for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "query_suite", + "threat_model", + "languages", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "visibility", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" }, { "action": "repo.create_actions_secret", "description": "A GitHub Actions secret was created for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { "action": "repo.disk_archive", "description": "A repository was archived on disk.", "docs_reference_links": "/repositories/archiving-a-github-repository/archiving-repositories", + "fields": [ + "actor_id", + "repo", + "operation_type", + "@timestamp", + "created_at", + "request_id", + "_document_id", + "repo_id", + "actor", + "action", + "user_agent" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository/archiving-repositories" }, { "action": "repo.download_zip", "description": "A source code archive of a repository was downloaded as a ZIP file.", "docs_reference_links": "/repositories/working-with-files/using-files/downloading-source-code-archives", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/working-with-files/using-files/downloading-source-code-archives" }, { "action": "repo.hide_from_discovery", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_agent", + "org", + "operation_type", + "visibility", + "repo_id", + "created_at", + "actor", + "action", + "@timestamp", + "org_id", + "request_id", + "repo", + "_document_id" + ] }, { "action": "repo.noindex", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo_id", + "request_id", + "action", + "_document_id", + "@timestamp", + "actor_id", + "created_at", + "user", + "operation_type", + "actor", + "user_agent", + "repo", + "user_id", + "public_repo" + ] }, { "action": "repo.override_unlock", "description": "The repository was unlocked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_build", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "action", + "_document_id", + "actor_id", + "repo", + "repo_id", + "operation_type", + "user_agent", + "request_id", + "created_at", + "visibility", + "actor", + "user_id" + ] }, { "action": "repo.pages_cname", "description": "A GitHub Pages custom domain was modified in a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "@timestamp", + "visibility", + "repo", + "repo_id", + "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", + "created_at", + "_document_id", + "action", + "operation_type", + "old_cname", + "programmatic_access_type" + ] }, { "action": "repo.pages_create", "description": "A GitHub Pages site was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "_document_id", + "user_id", + "visibility", + "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", + "actor", + "repo", + "programmatic_access_type" + ] }, { "action": "repo.pages_destroy", "description": "A GitHub Pages site was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "user_id", + "action", + "request_id", + "user", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", + "visibility", + "operation_type", + "repo_id", + "programmatic_access_type" + ] }, { "action": "repo.pages_https_redirect_disabled", "description": "HTTPS redirects were disabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "actor_id", + "repo_id", + "_document_id", + "user_agent", + "actor", + "visibility", + "user_id", + "request_id", + "repo", + "@timestamp", + "operation_type", + "action", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_https_redirect_enabled", "description": "HTTPS redirects were enabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "user_id", + "created_at", + "visibility", + "actor", + "actor_id", + "user", + "operation_type", + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" + ] }, { "action": "repo.pages_private", "description": "A GitHub Pages site visibility was changed to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_public", "description": "A GitHub Pages site visibility was changed to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete", "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete_restore", "description": "A GitHub Pages site that was previously soft-deleted was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_source", "description": "A GitHub Pages source was modified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "repo_id", + "user", + "_document_id", + "request_id", + "visibility", + "repo", + "created_at", + "action", + "programmatic_access_type" + ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.remove_integration_secret", "description": "A Codespaces or Dependabot secret was deleted for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "repo.remove_topic", "description": "A topic was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", + "actor", + "business", + "request_id", + "repo", + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" + ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { "action": "repo.require_login", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "visibility", + "operation_type", + "repo", + "_document_id", + "user", + "user_id", + "actor", + "actor_id", + "user_agent", + "repo_id", + "action", + "@timestamp", + "request_id" + ] }, { "action": "repo.restore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "action", + "_document_id", + "actor_id", + "user", + "operation_type", + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" + ] }, { "action": "repo.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "repo_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "repo.staff_unlock", "description": "An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "created_at", + "actor", + "repo_id", + "action", + "org", + "org_id", + "request_id", + "repo", + "operation_type" + ] }, { "action": "repo.temporary_access_granted", "description": "Temporary access was enabled for a repository.", "docs_reference_links": "/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing user-owned repositories in your enterprise" }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { "action": "repo.transfer_outgoing", "description": "A repository was transferred to another repository network.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.transfer_start", "description": "A user sent a request to transfer a repository to another user or organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "operation_type", + "user_id", + "request_id", + "user", + "action", + "user_agent", + "created_at", + "actor", + "visibility", + "repo_id", + "actor_id", + "repo", + "request_access_security_header" + ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.update_actions_access_settings", "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "old_policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.update_actions_settings", "description": "A repository administrator changed GitHub Actions policy settings for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.update_default_branch", "description": "The default branch for a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.update_member", "description": "A user's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "_document_id", + "actor", + "repo_id", + "created_at", + "oauth_application_id", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", + "visibility", + "old_permission", + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_branch_protection_evaluation.disable", "description": "Branch protections were disabled for the repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_branch_protection_evaluation.enable", "description": "Branch protections were enabled for this repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_image.create", "description": "An image to represent a repository was uploaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", + "action", + "request_id", + "actor", + "content_type", + "repo", + "@timestamp", + "_document_id", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "repository_image.destroy", "description": "An image to represent a repository was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", + "_document_id", + "actor", + "repo_id", + "user_agent", + "repo", + "user", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "repository_invitation.accept", "description": "An invitation to join a repository was accepted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "created_at", + "request_id", + "repo", + "invitee", + "operation_type", + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.cancel", "description": "An invitation to join a repository was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "inviter", + "action", + "operation_type", + "_document_id", + "repo_id", + "repo", + "@timestamp", + "user_agent", + "invitee", + "created_at", + "request_id", + "actor", + "actor_id", + "request_access_security_header" + ] }, { "action": "repository_invitation.create", "description": "An invitation to join a repository was sent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", + "repo", + "created_at", + "user_agent", + "repo_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.reject", "description": "An invitation to join a repository was declined.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "_document_id", + "actor", + "invitee", + "action", + "@timestamp", + "request_id", + "actor_id", + "operation_type", + "created_at", + "inviter", + "user_agent", + "repo_id" + ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { "action": "repository_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning.disable", "description": "Secret scanning was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "public_repo", + "programmatic_access_type" + ], "docs_reference_titles": "About secret scanning" }, { "action": "repository_secret_scanning.enable", "description": "Secret scanning was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "repository_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.disable", "description": "Secret scanning push protection was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.enable", "description": "Secret scanning push protection was enabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "restrict_notification_delivery.disable", "description": "Email notification restrictions for an organization or enterprise were disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "restrict_notification_delivery.enable", "description": "Email notification restrictions for an organization or enterprise were enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "secret_scanning_alert.create", "description": "GitHub detected a secret and created a secret scanning alert.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning_alert.reopen", "description": "A secret scanning alert was reopened.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type_display_name" + ] }, { "action": "secret_scanning_alert.resolve", "description": "A secret scanning alert was resolved.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "resolution", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_access_security_header" + ] }, { "action": "secret_scanning_alert.revoke", "description": "A secret scanning alert was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "secret_scanning_alert.validate", "description": "A secret scanning alert was validated.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "previous_validity", + "current_validity", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning.disable", "description": "Secret scanning was disabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning.enable", "description": "Secret scanning was enabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.disable", "description": "Secret scanning was disabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.enable", "description": "Secret scanning was enabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_push_protection.bypass", "description": "Triggered when a user bypasses the push protection on a secret detected by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#bypassing-push-protection-for-a-secret", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "push_protection_bypass_reason", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_reviewer", + "request_reviewer_id" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.approve", "description": "A request to bypass secret scanning push protection was approved by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.deny", "description": "A request to bypass secret scanning push protection was denied by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header", + "request_reviewer_comment" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.request", "description": "A user requested to bypass secret scanning push protection.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "security_key.register", "description": "A security key was registered for an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "created_at", + "user_id", + "action", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user_agent", + "request_access_security_header" + ] }, { "action": "security_key.remove", "description": "A security key was removed from an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "operation_type", + "_document_id", + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "action", + "created_at", + "user", + "request_access_security_header" + ] }, { "action": "sponsors.agreement_sign", "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.fiscal_host_change", "description": "The fiscal host for a GitHub Sponsors listing was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_disable", "description": "A GitHub Sponsors account was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { "action": "sponsors.sponsored_developer_redraft", "description": "A GitHub Sponsors account was returned to draft state from approved state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id", + "actor", + "actor_id", + "user_id" + ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsored_developer_update_newsletter_send", "description": "Triggered when you send an email update to your sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors", + "fields": [ + "request_id", + "actor", + "action", + "user_agent", + "operation_type", + "_document_id", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { "action": "sponsors.update_tier_repository", "description": "A GitHub Sponsors tier changed access for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.update_tier_welcome_message", "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.waitlist_join", "description": "You join the waitlist to join GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "request_id", + "actor", + "user_id", + "user_agent", + "actor_id", + "action", + "operation_type", + "created_at", + "user", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.withdraw_agreement_signature", "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ssh_certificate_authority.create", "description": "An SSH certificate authority for an organization or enterprise was created.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "@timestamp", + "_document_id", + "fingerprint", + "operation_type", + "openssh_public_key", + "org_id", + "actor", + "created_at", + "org", + "action", + "user_agent", + "actor_id", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_authority.destroy", "description": "An SSH certificate authority for an organization or enterprise was deleted.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "created_at", + "_document_id", + "fingerprint", + "operation_type", + "actor", + "org_id", + "openssh_public_key", + "org", + "action", + "user_agent", + "actor_id", + "@timestamp", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.disable", "description": "The requirement for members to use SSH certificates to access an organization resources was disabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "user", + "user_agent", + "operation_type", + "_document_id", + "request_id", + "org", + "org_id", + "created_at", + "actor", + "action", + "user_id", + "business", + "business_id", + "@timestamp", + "actor_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.enable", "description": "The requirement for members to use SSH certificates to access an organization resources was enabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "actor_id", + "user_id", + "org", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user", + "action", + "org_id", + "created_at", + "user_agent" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "staff.set_domain_token_expiration", "description": "The verification code expiry time for an organization or enterprise domain was set.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "business_id", + "token_expires_at", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "staff.unverify_domain", "description": "An organization or enterprise domain was unverified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "staff.verify_domain", "description": "An organization or enterprise domain was verified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "domain_name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "successor_invitation.accept", "description": "Triggered when you accept a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.cancel", "description": "Triggered when you cancel a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.create", "description": "Triggered when you create a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.decline", "description": "Triggered when you decline a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "successor_invitation.revoke", "description": "Triggered when you revoke a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "team.add_member", "description": "A member of an organization was added to a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team", + "fields": [ + "user_agent", + "request_id", + "org_id", + "user_id", + "team", + "user", + "@timestamp", + "actor_id", + "created_at", + "operation_type", + "_document_id", + "org", + "action", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team" }, { "action": "team.add_repository", "description": "A team was given access and permissions to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "team", + "action", + "operation_type", + "request_id", + "created_at", + "@timestamp", + "org", + "repo", + "actor_id", + "_document_id", + "repo_id", + "user_agent", + "org_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "team.change_parent_team", "description": "A child team was created or a child team's parent was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy", + "fields": [ + "org", + "@timestamp", + "created_at", + "_document_id", + "team", + "action", + "operation_type", + "actor", + "request_id", + "actor_id", + "user_agent", + "org_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy" }, { "action": "team.change_privacy", "description": "A team's privacy level was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/changing-team-visibility", + "fields": [ + "user_agent", + "request_id", + "org", + "action", + "team", + "created_at", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "actor", + "_document_id" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility" }, { "action": "team.create", "description": "A new team is created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "org_id", + "user_agent", + "team", + "org", + "actor", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "team.demote_maintainer", "description": "A user was demoted from a team maintainer to a team member.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member" }, { "action": "team.destroy", "description": "A team was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "team", + "org_id", + "actor_id", + "actor", + "action", + "@timestamp", + "user_agent", + "request_id", + "operation_type", + "_document_id", + "programmatic_access_type" + ] }, { "action": "team_discussions.clear", "description": "An organization owner cleared the setting to allow team discussions for an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "business_id", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "actor_id", + "user", + "business", + "action", + "request_id", + "created_at", + "user_id", + "_document_id" + ] }, { "action": "team_discussions.disable", "description": "Team discussions were disabled for an organization.", "docs_reference_links": "/organizations/organizing-members-into-teams/disabling-team-discussions-for-your-organization", + "fields": [ + "org_id", + "action", + "operation_type", + "request_id", + "actor", + "org", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "_document_id" + ], "docs_reference_titles": "Organizations and teams documentation" }, { "action": "team_discussions.enable", "description": "Team discussions were enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "@timestamp", + "action", + "_document_id", + "user_agent", + "user_id", + "business_id", + "request_id", + "user", + "business", + "operation_type", + "actor", + "created_at" + ] }, { "action": "team.promote_maintainer", "description": "A user was promoted from a team member to a team maintainer.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer" }, { "action": "team.remove_member", "description": "An organization member was removed from a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team", + "fields": [ + "request_id", + "operation_type", + "created_at", + "actor_id", + "org", + "org_id", + "team", + "user_id", + "actor", + "user", + "action", + "@timestamp", + "user_agent", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team" }, { "action": "team.remove_repository", "description": "A repository was removed from a team's control.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "org_id", + "repo", + "repo_id", + "action", + "_document_id", + "actor", + "@timestamp", + "actor_id", + "user_agent", + "created_at", + "team", + "org", + "operation_type", + "programmatic_access_type" + ] }, { "action": "team.rename", "description": "A team's name was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "user_agent", + "created_at", + "team", + "operation_type", + "actor_id", + "org", + "action", + "request_id", + "actor", + "org_id", + "@timestamp", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "team_sync_tenant.disabled", "description": "Team synchronization with a tenant was disabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "action", + "created_at", + "actor", + "request_id", + "org_id", + "actor_id", + "operation_type", + "_document_id", + "@timestamp", + "org", + "user_agent" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team_sync_tenant.enabled", "description": "Team synchronization with a tenant was enabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "org_id", + "business_id", + "actor", + "created_at", + "user_agent", + "@timestamp", + "operation_type", + "business", + "actor_id", + "org", + "request_id", + "action", + "_document_id" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team.update_repository_permission", "description": "A team's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "team", + "org_id", + "@timestamp", + "org", + "_document_id", + "old_permission", + "request_id", + "repo", + "action", + "repo_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "permission", + "new_repo_permission", + "new_repo_base_role", + "old_repo_permission", + "old_repo_base_role", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "trusted_device.register", "description": "A new trusted device was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "trusted_device.remove", "description": "A trusted device was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "two_factor_account_recovery.abort", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "action", + "request_id", + "user_id", + "@timestamp", + "_document_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "two_factor_account_recovery.complete", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "created_at", + "user_id", + "operation_type", + "user", + "_document_id", + "user_agent", + "action" + ] }, { "action": "two_factor_account_recovery.ignore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "created_at", + "user_id", + "operation_type", + "@timestamp", + "user", + "action" + ] }, { "action": "two_factor_account_recovery.staff_approve", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "action", + "_document_id" + ] }, { "action": "two_factor_account_recovery.staff_decline", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user", + "created_at", + "request_id", + "actor_id", + "_document_id" + ] }, { "action": "two_factor_account_recovery.start", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "user_id", + "action", + "_document_id", + "request_access_security_header" + ] }, { "action": "two_factor_account_recovery.two_factor_destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "user", + "_document_id", + "request_id" + ] }, { "action": "two_factor_authentication.add_factor", "description": "A secondary authentication factor was added to a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.disabled", "description": "Two-factor authentication was disabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/disabling-two-factor-authentication-for-your-personal-account", + "fields": [ + "actor", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "actor_id", + "created_at", + "operation_type", + "request_id", + "@timestamp", + "request_access_security_header" + ], "docs_reference_titles": "Disabling two-factor authentication for your personal account" }, { "action": "two_factor_authentication.enabled", "description": "Two-factor authentication was enabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "operation_type", + "user_agent", + "action", + "created_at", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Configuring two-factor authentication" }, { "action": "two_factor_authentication.password_reset_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user", + "user_id", + "action", + "@timestamp", + "request_id", + "_document_id", + "user_agent" + ] }, { "action": "two_factor_authentication.recovery_codes_regenerated", "description": "Two factor recovery codes were regenerated for a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "action", + "user", + "user_agent", + "actor_id", + "@timestamp", + "created_at" + ] }, { "action": "two_factor_authentication.remove_factor", "description": "A secondary authentication factor was removed from a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.sign_in_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "operation_type", + "user_id", + "user", + "user_agent", + "created_at", + "_document_id", + "action", + "@timestamp" + ] }, { "action": "two_factor_authentication.update_fallback", "description": "The two-factor authentication fallback for a user account was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "user", + "user_id", + "operation_type", + "user_agent", + "action", + "request_id", + "actor", + "actor_id" + ] }, { "action": "user.add_email", "description": "An email address was added to a user account.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account", + "fields": [ + "action", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "_document_id", + "actor_id", + "actor", + "email", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account" }, { "action": "user.async_delete", "description": "An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "created_at", + "user", + "@timestamp", + "_document_id", + "request_id", + "actor_id", + "operation_type", + "user_agent", + "action", + "request_access_security_header" + ] }, { "action": "user.audit_log_export", "description": "Audit log entries were exported.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "action", + "request_id", + "actor", + "@timestamp", + "_document_id", + "user_agent", + "user_id", + "operation_type", + "created_at" + ] }, { "action": "user.block_user", "description": "A user was blocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_id", + "_document_id", + "actor_id", + "@timestamp", + "user_agent", + "user", + "request_id", + "blocked_user", + "operation_type", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.change_password", "description": "A user changed their password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "actor", + "user", + "user_id", + "action", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.codespaces_trusted_repo_access_granted", "description": "Triggered when you allow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.codespaces_trusted_repo_access_revoked", "description": "Triggered when you disallow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.correct_password_from_unrecognized_device", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "user_agent", + "created_at", + "user", + "action", + "operation_type", + "request_id", + "user_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.correct_password_from_unrecognized_device_and_location", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "_document_id", + "@timestamp", + "created_at", + "user_agent", + "operation_type", + "request_id", + "user_id", + "action", + "request_access_security_header" + ] }, { "action": "user.correct_password_from_unrecognized_location", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "created_at", + "_document_id", + "user_agent", + "user_id", + "@timestamp", + "user", + "action", + "request_access_security_header" + ] }, { "action": "user.create", "description": "A new user account was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "email", + "user_id", + "operation_type", + "@timestamp", + "request_id", + "user", + "created_at", + "_document_id", + "user_agent", + "actor", + "actor_id", + "action", + "programmatic_access_type" + ] }, { "action": "user.create_integration_secret", "description": "A user secret for Codespaces was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.creation_rate_limit_exceeded", "description": "The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "user_agent", + "_document_id", + "operation_type", + "oauth_application_id", + "action", + "actor", + "actor_id", + "request_id", + "user_id", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.delete", "description": "A user account was destroyed by an asynchronous job.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "user_id", + "actor", + "actor_id", + "user", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.demote", "description": "A site administrator was demoted to an ordinary user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "oauth_application_id", + "action", + "user", + "created_at", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "_document_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.destroy", "description": "A user deleted his or her account, triggering user.async_delete.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "user", + "_document_id", + "created_at", + "user_agent", + "user_id", + "operation_type", + "actor_id", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.device_verification_failure", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user", + "user_agent", + "user_id", + "actor_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.device_verification_requested", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user_id", + "actor", + "operation_type", + "created_at", + "_document_id", + "@timestamp", + "user", + "actor_id", + "action", + "request_access_security_header" + ] }, { "action": "user.device_verification_success", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user", + "_document_id", + "action", + "operation_type", + "user_agent", + "created_at", + "request_id", + "actor", + "actor_id", + "user_id", + "request_access_security_header" + ] }, { "action": "user.disable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user_email.confirm_claim", "description": "An enterprise managed user claimed an email address.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "user_email.mark_as_unclaimed", "description": "N/A", "docs_reference_links": "An enterprise managed user unclaimed an email address.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "An, GitHub Help Documentation, managed, user, unclaimed, an, email, address." }, { "action": "user.enable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.failed_login", "description": "A user tried to sign in with an incorrect username, password, or two-factor authentication code.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "operation_type", + "request_id", + "created_at", + "_document_id", + "@timestamp", + "user", + "org_id", + "actor", + "actor_id", + "user_agent" + ] }, { "action": "user.flag_as_large_scale_contributor", "description": "A user account was flagged as a large scale contributor. Only contributions from public repositories the user owns will be shown in their contribution graph, in order to prevent timeouts.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "operation_type", + "@timestamp", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "user_agent", + "created_at" + ] }, { "action": "user.forgot_password", "description": "A user requested a password reset.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials", + "fields": [ + "action", + "_document_id", + "user_agent", + "request_id", + "user", + "operation_type", + "@timestamp", + "email", + "created_at", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials" }, { "action": "user.grant_github_developer", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "created_at", + "user_agent", + "@timestamp", + "_document_id", + "user", + "user_id", + "actor", + "operation_type", + "request_id" + ] }, { "action": "user.hide_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.login", "description": "A user signed in.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user_id", + "actor_id", + "@timestamp", + "user", + "action", + "operation_type", + "_document_id", + "request_id", + "created_at", + "actor", + "passkey_nickname", + "request_access_security_header" + ] }, { "action": "user.logout", "description": "A user signed out.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.minimize_comment", "description": "A comment made by a user was minimized.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "actor", + "actor_id", + "@timestamp", + "created_at", + "operation_type", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.new_device_used", "description": "A user signed in from a new device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "action", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ] }, { "action": "user.partial_two_factor_email_followup", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "_document_id", + "action", + "@timestamp", + "created_at", + "user", + "request_access_security_header" + ] }, { "action": "user.promote", "description": "An ordinary user account was promoted to a site administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "actor", + "actor_id", + "user", + "@timestamp", + "created_at", + "user_agent", + "oauth_application_id", + "request_id", + "operation_type", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.recreate", "description": "A user's account was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user", + "action", + "actor_id", + "@timestamp", + "_document_id", + "request_id", + "user_id", + "created_at", + "actor", + "operation_type" + ] }, { "action": "user.remove_email", "description": "An email address was removed from a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "@timestamp", + "_document_id", + "request_id", + "user", + "user_id", + "operation_type", + "actor", + "actor_id", + "created_at", + "email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.remove_integration_secret", "description": "A user secret for Codespaces was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.remove_large_scale_contributor_flag", "description": "A user account was no longer flagged as a large scale contributor.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.rename", "description": "A username was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "request_id", + "actor_id", + "old_login", + "created_at", + "_document_id", + "actor", + "user_id", + "@timestamp", + "operation_type", + "user_agent", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.report_abuse", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "user_agent", + "request_id", + "action", + "@timestamp", + "created_at", + "org_id", + "_document_id", + "actor", + "actor_id", + "user", + "operation_type" + ] }, { "action": "user.report_content", "description": "Triggered when you report an issue or pull request, or a comment on an issue, pull request, or commit.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam", + "fields": [ + "org_id", + "request_id", + "user", + "user_agent", + "action", + "created_at", + "actor", + "operation_type", + "actor_id", + "user_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam" }, { "action": "user.reset_password", "description": "A user reset their account password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "user", + "request_id", + "user_id", + "created_at", + "@timestamp", + "_document_id", + "actor", + "operation_type", + "request_access_security_header" + ] }, { "action": "user_session.country_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_id", + "action", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "user.show_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "@timestamp", + "_document_id", + "request_id", + "user_id", + "action", + "actor", + "user", + "operation_type", + "user_agent", + "actor_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.sign_in_from_unrecognized_device", "description": "A user signed in from an unrecognized device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "operation_type", + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.sign_in_from_unrecognized_device_and_location", "description": "A user signed in from an unrecognized device and location.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "request_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.sign_in_from_unrecognized_location", "description": "A user signed in from an unrecognized location.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "action", + "operation_type", + "user_agent", + "user", + "_document_id", + "actor", + "created_at", + "actor_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user_status.destroy", "description": "Triggered when you clear the status on your profile.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_id", + "actor", + "message", + "user", + "actor_id", + "created_at", + "request_id", + "limited_availability", + "action", + "emoji", + "operation_type", + "user_agent", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user_status.update", "description": "Triggered when you set or change the status on your profile.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status", + "fields": [ + "limited_availability", + "user", + "action", + "actor_id", + "message", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "emoji", + "org", + "actor", + "operation_type", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status" }, { "action": "user.suspend", "description": "A user account was suspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "operation_type", + "actor_id", + "user", + "user_agent", + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user_id", + "action", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.toggle_warn_private_email", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user", + "actor_id", + "@timestamp", + "operation_type", + "_document_id", + "user_agent", + "actor", + "action", + "user_id", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_failure", "description": "A 2FA challenge issued for a user account failed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "_document_id", + "user_agent", + "user", + "actor_id", + "actor", + "user_id", + "@timestamp", + "action", + "request_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_success", "description": "A 2FA challenge issued for a user account succeeded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_id", + "operation_type", + "actor_id", + "user", + "actor", + "user_agent", + "request_id", + "action", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_recover", "description": "A user used their 2FA recovery codes.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "user_agent", + "request_id", + "user", + "action", + "actor", + "actor_id", + "created_at", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_downloaded", "description": "A user downloaded 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "actor_id", + "user", + "request_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_printed", "description": "A user printed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "user_agent", + "request_id", + "user_id", + "created_at", + "_document_id", + "actor", + "actor_id", + "@timestamp" + ] }, { "action": "user.two_factor_recovery_codes_viewed", "description": "A user viewed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_agent", + "actor", + "user_id", + "action", + "created_at", + "user", + "operation_type", + "@timestamp", + "request_id", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_requested", "description": "A user was prompted for a two-factor authentication code.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication", + "fields": [ + "user", + "actor_id", + "action", + "user_agent", + "request_id", + "created_at", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "actor" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication" }, { "action": "user.unblock_user", "description": "A user was unblocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "_document_id", + "blocked_user", + "operation_type", + "actor", + "@timestamp", + "user_agent", + "user_id", + "user", + "created_at", + "request_access_security_header" + ] }, { "action": "user.unminimize_comment", "description": "A comment made by a user was unminimized.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user_agent", + "_document_id", + "actor_id", + "user", + "user_id", + "operation_type", + "request_id", + "actor", + "action", + "created_at" + ] }, { "action": "user.unsuspend", "description": "A user account was unsuspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "user", + "action", + "user_agent", + "actor", + "oauth_application_id", + "operation_type", + "actor_id", + "created_at", + "@timestamp", + "user_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.update_integration_secret", "description": "A user secret for Codespaces was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.update_new_repository_default_branch_setting", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.bypass_protection_rules", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "workflows.cancel_workflow_run", "description": "A workflow run was cancelled.", "docs_reference_links": "/actions/managing-workflow-runs/canceling-a-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "cancelled_at", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Canceling a workflow" }, { "action": "workflows.comment_workflow_job", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.completed_workflow_run", "description": "A workflow status changed to completed. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "completed_at", + "conclusion", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Viewing workflow run history" }, { "action": "workflows.created_workflow_run", "description": "A workflow run was create. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/learn-github-actions/understanding-github-actions#create-an-example-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Understanding GitHub Actions" }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { "action": "workflows.disable_workflow", "description": "A workflow was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.enable_workflow", "description": "A workflow was enabled, after previously being disabled by disable_workflow.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "workflows.pin_workflow", "description": "A workflow was pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.prepared_workflow_job", "description": "A workflow job was started. Includes the list of secrets that were provided to the job. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/using-workflows/events-that-trigger-workflows", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "business_id", + "business", + "workflow_run_id", + "job_name", + "runner_labels", + "is_hosted_runner", + "environment_name", + "secrets_passed", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp", + "runner_owner_type", + "job_workflow_ref", + "calling_workflow_refs", + "calling_workflow_shas", + "imposer_repo" + ], "docs_reference_titles": "Events that trigger workflows" }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.rerun_workflow_run", "description": "A workflow run was re-run.", "docs_reference_links": "/actions/managing-workflow-runs/re-running-workflows-and-jobs", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "rerun_type", + "check_run_id", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Re-running workflows and jobs" }, { "action": "workflows.unpin_workflow", "description": "A workflow was unpinned after previously being pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/ghes-3.15/organization.json b/src/audit-logs/data/ghes-3.15/organization.json index 163bd3a72f14..58ef74883f78 100644 --- a/src/audit-logs/data/ghes-3.15/organization.json +++ b/src/audit-logs/data/ghes-3.15/organization.json @@ -2,3854 +2,15723 @@ { "action": "account.billing_date_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "operation_type", + "user_agent", + "_document_id", + "created_at", + "action", + "request_id", + "actor", + "actor_id", + "org_id" + ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { "action": "actions_cache.delete", "description": "A GitHub Actions cache was deleted using the REST API.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "user_id", + "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "advisory_credit.accept", "description": "Credit was accepted for a security advisory.", "docs_reference_links": "/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory" }, { "action": "advisory_credit.create", "description": "Someone was added to the credit section of a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "advisory_credit.decline", "description": "Credit was declined for a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "advisory_credit.destroy", "description": "Someone was removed from the credit section of a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "artifact.destroy", "description": "A workflow run artifact was manually deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_agent", + "actor_id", + "repo", + "repo_id", + "request_id", + "@timestamp", + "created_at", + "_document_id", + "operation_type", + "programmatic_access_type" + ] }, { "action": "auto_approve_personal_access_token_requests.disable", "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources. See also: personal_access_token.auto_approve_grant_requests_disabled", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization" }, { "action": "auto_approve_personal_access_token_requests.enable", "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval. See also: personal_access_token.auto_approve_grant_requests_enabled", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization" }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.lock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "@timestamp", + "actor_id", + "operation_type", + "_document_id", + "request_id", + "actor", + "user", + "user_id", + "user_agent", + "created_at", + "action" + ] }, { "action": "billing.unlock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "operation_type", + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.delete_logs", "description": "Logs in a check suite were deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "actor_id", + "operation_type", + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" + ] }, { "action": "codespaces.allow_permissions", "description": "A codespace using custom permissions from its devcontainer.json file was launched.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "origin_repository", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.attempted_to_create_from_prebuild", "description": "An attempt to create a codespace from a prebuild was made.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "owner", + "pull_request_id", + "repository", + "repository_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "codespaces.business_enablement_updated", "description": "Enterprise setting for Codespaces ownership was updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enablement", + "organization_names", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization" }, { "action": "codespaces.connect", "description": "Credentials for a codespace were refreshed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { "action": "codespaces.export_environment", "description": "A codespace was exported to a branch on GitHub.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "codespaces.policy_group_created", "description": "Policies were applied to codespaces in an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.policy_group_deleted", "description": "Policies were removed from codespaces in an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "codespaces.policy_group_updated", "description": "Policies were updated for codespaces in an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "codespaces.restore", "description": "A codespace was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.start_environment", "description": "A codespace was started.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "org", + "owner", + "pull_request_id", + "machine_type", + "user_id", + "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "codespaces.suspend_environment", "description": "A codespace was stopped.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "commit_comment.destroy", "description": "A commit comment was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "repo", + "org", + "org_id", + "created_at", + "@timestamp", + "operation_type", + "repo_id", + "actor_id", + "request_id", + "_document_id", + "user_agent", + "action", + "programmatic_access_type" + ] }, { "action": "commit_comment.update", "description": "A commit comment was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "repo_id", + "actor", + "org", + "request_id", + "action", + "@timestamp", + "repo", + "org_id", + "actor_id", + "created_at", + "user_agent", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "copilot.access_revoked", "description": "Copilot access was revoked for the organization or enterprise due to its Copilot subscription ending, an issue with billing the entity, the entity being marked spammy, or the entity being suspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "reason", + "plan", + "org_id", + "owner", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "copilot.cfb_org_settings_changed", "description": "Copilot feature settings were changed at the organization level.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_added", "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { "action": "copilot.cfb_seat_assignment_refreshed", "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_reused", "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_assignment_unassigned", "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "seat_assignment", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled_by_staff", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.cfb_seat_management_changed", "description": "The seat management setting was changed at the organization level to either enable or disable Copilot access for all members of the organization, or to enable Copilot access for selected members or teams.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_value", + "new_value", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "copilot.content_exclusion_changed", "description": "The excluded paths for GitHub Copilot were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "excluded_paths", + "owner_type", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.knowledge_base_created", "description": "A knowledge base was created in the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.knowledge_base_deleted", "description": "A knowledge base was deleted from the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.knowledge_base_updated", "description": "A knowledge base was updated in the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.plan_changed", "description": "The plan for GitHub Copilot was updated.", "docs_reference_links": "/billing/managing-billing-for-github-copilot/about-billing-for-github-copilot", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_plan", + "plan", + "business_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "About billing for GitHub Copilot" }, { "action": "copilot.plan_downgrade_scheduled", "description": "The plan for GitHub Copilot was scheduled to be downgraded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "owner", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "current_plan", + "scheduled_plan" + ] }, { "action": "custom_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_property_definition.create", "description": "A new custom property definition was created.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.destroy", "description": "A custom property definition was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id", + "allowed_values" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.update", "description": "A custom property definition was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "value_type", + "required", + "default_value", + "old_allowed_values", + "allowed_values", + "definition_id", + "old_required", + "old_default_value", + "old_value_type", + "old_values_editable_by", + "values_editable_by", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.create", "description": "A repository's custom property value was manually set for the first time.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "definition_id", + "property_name", + "value", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.destroy", "description": "A repository's custom property value was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.update", "description": "A repository's custom property value was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_repository_access.repositories_updated", "description": "The repositories that Dependabot can access were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates.enable", "description": "Dependabot security updates were enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates_new_repos.enable", "description": "Dependabot security updates were enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph.enable", "description": "The dependency graph was enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph_new_repos.enable", "description": "The dependency graph was enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "discussion_comment.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "repo_id", + "request_id", + "action", + "actor", + "org_id", + "_document_id", + "actor_id", + "operation_type", + "@timestamp", + "created_at", + "user_agent", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "discussion_comment.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "@timestamp", + "actor", + "user_agent", + "request_id", + "org", + "_document_id", + "actor_id", + "operation_type", + "created_at", + "repo", + "org_id", + "action", + "request_access_security_header" + ] }, { "action": "discussion.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "user_agent", + "actor_id", + "org_id", + "actor", + "org", + "action", + "operation_type", + "@timestamp", + "request_id", + "title", + "_document_id", + "created_at", + "repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "discussion_post.destroy", "description": "Triggered when a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "request_id", + "team", + "created_at", + "user_id", + "@timestamp", + "number", + "org", + "title", + "actor", + "actor_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.destroy", "description": "Triggered when a reply to a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "actor_id", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user_id", + "actor", + "number", + "user", + "created_at", + "request_id", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.update", "description": "Triggered when a reply to a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "action", + "_document_id", + "request_id", + "org", + "@timestamp", + "actor_id", + "operation_type", + "user", + "user_id", + "org_id", + "user_agent", + "actor", + "number", + "team", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "discussion_post.update", "description": "Triggered when a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "created_at", + "_document_id", + "title", + "user", + "user_agent", + "org", + "operation_type", + "actor_id", + "@timestamp", + "actor", + "team", + "action", + "org_id", + "request_id", + "user_id", + "number" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "enterprise_announcement.create", "description": "A global announcement banner was created for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global-announcement-banner", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.destroy", "description": "A global announcement banner was removed from the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.update", "description": "A global announcement banner was updated for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "old_message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_installation.create", "description": "The GitHub App associated with a GitHub Connect connection was created.", "docs_reference_links": "/admin/configuration/configuring-github-connect/managing-github-connect", + "fields": [ + "created_at", + "operation_type", + "@timestamp", + "_document_id", + "org_id", + "action", + "request_id", + "org", + "actor_id", + "user_agent", + "actor" + ], "docs_reference_titles": "Enabling GitHub Connect for GitHub.com" }, { "action": "enterprise_installation.destroy", "description": "The GitHub App associated with a GitHub Connect connection was deleted.", "docs_reference_links": "/admin/configuration/configuring-github-connect/managing-github-connect", + "fields": [ + "created_at", + "_document_id", + "action", + "@timestamp", + "actor_id", + "actor", + "user_agent", + "org", + "operation_type", + "request_id", + "org_id" + ], "docs_reference_titles": "Enabling GitHub Connect for GitHub.com" }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.delete", "description": "An environment was deleted.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_secret", "description": "A secret was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "git.clone", "description": "A repository was cloned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.fetch", "description": "Changes were fetched from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.push", "description": "Changes were pushed to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "github_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "github_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "github_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "hook.active_changed", "description": "A hook's active status was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "hook.config_changed", "description": "A hook's configuration was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "name", + "org", + "user_agent", + "request_id", + "hook_id", + "repo", + "repo_id", + "created_at", + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { "action": "hook.destroy", "description": "A hook was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", + "operation_type", + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.events_changed", "description": "A hook's configured events were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "operation_type", + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "integration.create", "description": "A GitHub App was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "@timestamp", + "actor", + "user_agent", + "actor_id", + "request_id", + "name", + "user_id", + "_document_id", + "integration", + "created_at", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration.destroy", "description": "A GitHub App was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "actor_id", + "request_id", + "@timestamp", + "name", + "integration", + "user", + "_document_id", + "action", + "operation_type", + "created_at", + "user_agent" + ] }, { "action": "integration.generate_client_secret", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation_request.close", "description": "A request to install a GitHub App was either approved or denied by an owner, or canceled by the member who opened the request.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "url", + "actor", + "actor_id", + "created_at", + "request_id", + "operation_type", + "@timestamp", + "integration", + "action", + "user_agent", + "reason", + "_document_id", + "org", + "org_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation_request.create", "description": "A member requested that an owner install a GitHub App.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "@timestamp", + "actor_id", + "org", + "_document_id", + "requester", + "action", + "user_agent", + "created_at", + "url", + "org_id", + "request_id", + "operation_type", + "actor", + "integration", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { "action": "integration.remove_client_secret", "description": "A client secret for a GitHub App was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "integration.revoke_all_tokens", "description": "All user tokens for a GitHub App were requested to be revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.revoke_tokens", "description": "Token(s) for a GitHub App were revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" }, { "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "ip_allow_list.disable", "description": "An IP allow list was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "actor", + "request_id", + "org", + "user_agent", + "_document_id", + "user_id", + "actor_id", + "created_at", + "org_id", + "action", + "@timestamp", + "user" + ] }, { "action": "ip_allow_list.disable_for_installed_apps", "description": "An IP allow list was disabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list.enable", "description": "An IP allow list was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "business", + "user_id", + "request_id", + "actor", + "user", + "business_id", + "_document_id", + "action", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "org", + "created_at" + ] }, { "action": "ip_allow_list.enable_for_installed_apps", "description": "An IP allow list was enabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list_entry.create", "description": "An IP address was added to an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "active", + "org", + "ip_allow_list_entry", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "actor_id", + "business_id", + "org_id", + "business", + "actor", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.destroy", "description": "An IP address was deleted from an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "ip_allow_list_entry", + "org", + "operation_type", + "created_at", + "active", + "action", + "@timestamp", + "business", + "business_id", + "user_agent", + "org_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.update", "description": "An IP address or its description was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "actor", + "org", + "action", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "ip_allow_list_entry", + "active", + "org_id", + "@timestamp" + ] }, { "action": "issue_comment.destroy", "description": "A comment on an issue was deleted from the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "org", + "repo", + "actor_id", + "@timestamp", + "created_at", + "_document_id", + "action", + "operation_type", + "user_agent", + "repo_id", + "actor", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "issue_comment.update", "description": "A comment on an issue (other than the initial one) changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "action", + "repo_id", + "org_id", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "_document_id", + "actor_id", + "actor", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "issue.destroy", "description": "An issue was deleted from the repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/deleting-an-issue", + "fields": [ + "user", + "actor_id", + "created_at", + "title", + "@timestamp", + "_document_id", + "request_id", + "actor", + "user_id", + "action", + "operation_type", + "user_agent", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting an issue" }, { "action": "issue.pinned", "description": "An issue was pinned to a repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository", + "fields": [ + "_document_id", + "user_agent", + "actor_id", + "created_at", + "action", + "actor", + "operation_type", + "owner_type", + "@timestamp", + "repo_id", + "request_id", + "number", + "repo", + "event", + "user", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "Pinning an issue to your repository" }, { "action": "issue.transfer", "description": "An issue was transferred to another repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/transferring-an-issue-to-another-repository", + "fields": [ + "user", + "user_id", + "@timestamp", + "user_agent", + "owner_type", + "actor_id", + "number", + "repo", + "operation_type", + "_document_id", + "repo_id", + "action", + "request_id", + "created_at", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "Transferring an issue to another repository" }, { "action": "issue.unpinned", "description": "An issue was unpinned from a repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository", + "fields": [ + "event", + "user_agent", + "actor_id", + "repo_id", + "actor", + "action", + "created_at", + "request_id", + "repo", + "operation_type", + "_document_id", + "number", + "owner_type", + "@timestamp", + "user", + "user_id", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Pinning an issue to your repository" }, { "action": "issues.deletes_disabled", "description": "The ability for enterprise members to delete issues was disabled Members cannot delete issues in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "user_agent", + "action", + "@timestamp", + "operation_type", + "request_id", + "actor_id", + "user_id", + "created_at", + "_document_id", + "actor", + "user", + "org", + "org_id" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "issues.deletes_enabled", "description": "The ability for enterprise members to delete issues was enabled Members can delete issues in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "operation_type" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "issues.deletes_policy_cleared", "description": "An enterprise owner cleared the policy setting for allowing members to delete issues in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "user", + "request_id", + "actor", + "business_id", + "action", + "operation_type", + "user_agent", + "created_at", + "@timestamp", + "_document_id", + "business", + "user_id", + "actor_id" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "marketplace_agreement_signature.create", "description": "The GitHub Marketplace Developer Agreement was signed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "actor_id", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "created_at", + "action", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "marketplace_listing.approve", "description": "A listing was approved for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "secondary_category", + "actor", + "primary_category", + "user", + "@timestamp", + "_document_id", + "user_id", + "user_agent", + "operation_type", + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" + ] }, { "action": "marketplace_listing.change_category", "description": "A category for a listing for an app in GitHub Marketplace was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", + "@timestamp", + "integration", + "org_id", + "action", + "org", + "secondary_category", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ] }, { "action": "marketplace_listing.create", "description": "A listing for an app in GitHub Marketplace was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", + "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", + "actor", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "marketplace_listing.delist", "description": "A listing was removed from GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "created_at", + "secondary_category", + "operation_type", + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" + ] }, { "action": "marketplace_listing.redraft", "description": "A listing was sent back to draft state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", + "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", + "actor", + "created_at", + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" + ] }, { "action": "marketplace_listing.reject", "description": "A listing was not accepted for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "members_can_create_pages.disable", "description": "The ability for members to publish GitHub Pages sites was disabled.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_pages.enable", "description": "The ability for members to publish GitHub Pages sites was enabled.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_private_pages.disable", "description": "The ability for members to publish private GitHub Pages was disabled Members cannot publish private GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_private_pages.enable", "description": "The ability for members to publish private GitHub Pages was enabled Members can publish private GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_public_pages.disable", "description": "The ability for members to publish public GitHub Pages was disabled Members cannot publish public GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_public_pages.enable", "description": "The ability for members to publish public GitHub Pages was enabled Members can publish public GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_delete_repos.clear", "description": "An enterprise owner cleared the policy setting for deleting or transferring repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "_document_id", + "request_id", + "user", + "user_id", + "business", + "operation_type", + "user_agent", + "actor", + "actor_id", + "business_id", + "@timestamp", + "created_at", + "action" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_delete_repos.disable", "description": "The ability for enterprise members to delete repositories was disabled Members cannot delete or transfer repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "request_id", + "org", + "_document_id", + "actor_id", + "user", + "user_id", + "user_agent", + "actor", + "operation_type", + "org_id", + "action", + "@timestamp", + "created_at" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_delete_repos.enable", "description": "The ability for enterprise members to delete repositories was enabled Members can delete or transfer repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "action", + "org_id", + "user_id", + "business", + "actor_id", + "@timestamp", + "_document_id", + "request_id", + "user", + "business_id", + "created_at", + "actor", + "org", + "operation_type", + "user_agent" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_view_dependency_insights.clear", "description": "An enterprise owner cleared the policy setting for viewing dependency insights in any organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "created_at", + "request_id", + "actor", + "action", + "operation_type" + ] }, { "action": "members_can_view_dependency_insights.disable", "description": "The ability for enterprise members to view dependency insights was disabled. Members cannot view dependency insights in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-dependency-insights-in-your-enterprise", + "fields": [ + "business", + "created_at", + "user_id", + "business_id", + "user", + "org", + "operation_type", + "request_id", + "actor", + "_document_id", + "action", + "user_agent", + "actor_id", + "org_id", + "@timestamp" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "members_can_view_dependency_insights.enable", "description": "The ability for enterprise members to view dependency insights was enabled. Members can view dependency insights in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-dependency-insights-in-your-enterprise", + "fields": [ + "request_id", + "created_at", + "_document_id", + "user_agent", + "user", + "user_id", + "business", + "business_id", + "operation_type", + "@timestamp", + "action", + "actor", + "actor_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "merge_queue.pull_request_dequeued", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "merge_queue.pull_request_queue_jump", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.queue_cleared", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.update_settings", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "metered_billing_configuration.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "_document_id", + "user_id", + "action", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "metered_billing_configuration.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "metered_billing_configuration.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "org", + "created_at", + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" + ] }, { "action": "migration.create", "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org_id", + "_document_id", + "org", + "repo_id", + "action", + "actor", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "migration.destroy_file", "description": "A migration file for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "org_id", + "action", + "operation_type", + "created_at", + "repo", + "_document_id", + "repo_id", + "request_access_security_header" + ] }, { "action": "migration.download", "description": "A migration file for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance was downloaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "org_id", + "request_id", + "oauth_application_id", + "repo_id", + "operation_type", + "@timestamp", + "user_agent", + "created_at", + "org", + "action", + "_document_id", + "repo", + "actor", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "network_configuration.create", "description": "A network configuration for a hosted compute service was created.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "selected_service", + "network_settings_ids", + "previous_settings_ids", + "network_configuration_id" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "network_configuration.delete", "description": "A network configuration for a hosted compute service was deleted.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "network_configuration_id" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "network_configuration.update", "description": "A network configuration for a hosted compute service was updated.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "selected_service", + "network_settings_ids", + "previous_settings_ids" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.generate_client_secret", "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "org.accept_business_invitation", "description": "An invitation sent to an organization to join an enterprise was accepted.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.add_billing_manager", "description": "A billing manager was added to an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization", + "fields": [ + "operation_type", + "_document_id", + "user_agent", + "org", + "user_id", + "action", + "created_at", + "org_id", + "user", + "actor", + "actor_id", + "@timestamp", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization" }, { "action": "org.add_member", "description": "A user joined an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "permission", + "_document_id", + "org", + "operation_type", + "request_id", + "actor", + "user", + "@timestamp", + "created_at", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "org.add_outside_collaborator", "description": "An outside collaborator was added to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "inviter", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.add_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.advanced_security_disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_disabled_on_all_repos", "description": "GitHub Advanced Security was disabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_on_all_repos", "description": "GitHub Advanced Security was enabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_policy_selected_member_disabled", "description": "An enterprise owner prevented GitHub Advanced Security features from being enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_enabled", "description": "An enterprise owner allowed GitHub Advanced Security features to be enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.allow_third_party_access_requests_from_outside_collaborators_disabled", "description": "Third-party application access for outside collaborators was disabled for the organization.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests" }, { "action": "org.allow_third_party_access_requests_from_outside_collaborators_enabled", "description": "Third-party application access for outside collaborators was enabled for the organization.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests" }, { "action": "org.archive", "description": "The organization was archived.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.audit_log_export", "description": "An export of the organization audit log was created. If the export included a query, the log will list the query used and the number of audit log entries matching that query.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log", + "fields": [ + "org_id", + "operation_type", + "@timestamp", + "request_id", + "_document_id", + "actor", + "org", + "action", + "created_at", + "user_agent", + "actor_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log" }, { "action": "org.audit_log_git_event_export", "description": "An export of the organization's Git events was created.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "start", + "end", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization" }, { "action": "org.billing_signup_error", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_agent", + "action", + "@timestamp", + "actor_id", + "org_id", + "_document_id", + "actor", + "org", + "operation_type" + ] }, { "action": "org.block_user", "description": "An organization owner blocked a user from accessing the organization's repositories.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization", + "fields": [ + "actor", + "user_agent", + "org_id", + "created_at", + "_document_id", + "blocked_user", + "action", + "operation_type", + "actor_id", + "org", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization" }, { "action": "org.cancel_business_invitation", "description": "An invitation for an organization to join an enterprise was revoked", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "initiated_from" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.cancel_invitation", "description": "An invitation sent to a user to join an organization was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "org_id", + "request_id", + "email", + "@timestamp", + "actor", + "action", + "operation_type", + "user_agent", + "org", + "invitation_id", + "_document_id", + "created_at", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.clear_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "org.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.codeql_disabled", "description": "Code scanning using the default setup was disabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codeql_enabled", "description": "Code scanning using the default setup was enabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codespaces_access_updated", "description": "Access to use Codespaces on internal and private repositories was updated for an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/enabling-or-disabling-github-codespaces-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enablement", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/enabling-or-disabling-github-codespaces-for-your-organization" }, { "action": "org.codespaces_ownership_updated", "description": "Ownership and payment for codespaces was updated for an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner_type", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization" }, { "action": "org.codespaces_team_access_allowed", "description": "A team has been allowed to use Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.codespaces_team_access_revoked", "description": "A team has been prevented from using Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.codespaces_trusted_repo_access_granted", "description": "GitHub Codespaces was granted trusted repository access to all other repositories in an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "org.codespaces_trusted_repo_access_revoked", "description": "GitHub Codespaces trusted repository access to all other repositories in an organization was revoked.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "org.codespaces_user_access_allowed", "description": "A user has been allowed to use Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.codespaces_user_access_revoked", "description": "A user has been prevented from using Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.config.disable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "request_id", + "org", + "action", + "operation_type", + "_document_id", + "actor", + "actor_id", + "@timestamp", + "user_agent", + "org_id", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "operation_type", + "@timestamp", + "created_at", + "user_agent", + "action", + "actor_id", + "org", + "_document_id", + "actor", + "org_id", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "_document_id", + "operation_type", + "actor_id", + "org_id", + "action", + "created_at", + "actor", + "org", + "@timestamp", + "user_agent", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "actor", + "org", + "org_id", + "request_id", + "operation_type", + "action", + "user_agent" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor", + "actor_id", + "org_id", + "action", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "org", + "created_at", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor_id", + "request_id", + "action", + "created_at", + "user_agent", + "actor", + "_document_id", + "org_id", + "operation_type", + "org", + "@timestamp" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.confirm_business_invitation", "description": "An invitation for an organization to join an enterprise was confirmed.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.connect_usage_metrics_export", "description": "Server statistics were exported for the organization.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/analyzing-how-your-team-works-with-server-statistics/exporting-server-statistics", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Exporting Server Statistics" }, { "action": "org.create", "description": "An organization was created.", "docs_reference_links": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch", + "fields": [ + "request_id", + "org", + "actor_id", + "actor", + "action", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "org_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch" }, { "action": "org.create_actions_secret", "description": "A GitHub Actions secret was created for an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.create_actions_variable", "description": "A GitHub Actions variable was created for an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "org.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org_credential_authorization.deauthorize", "description": "A member removed the SSO (SAML or OIDC) authorization from a credential that had access to your organization.", "docs_reference_links": "/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor_id", + "org_id", + "business", + "action", + "@timestamp", + "org", + "_document_id", + "business_id", + "actor", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "oauth_credential_type", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Authorizing a personal access token for use with single sign-on" }, { "action": "org_credential_authorization.grant", "description": "A member authorized credentials for use with SAML or OIDC single sign-on.", "docs_reference_links": "/authentication/authenticating-with-saml-single-sign-on", + "fields": [ + "user_agent", + "actor", + "@timestamp", + "created_at", + "org_id", + "business_id", + "operation_type", + "request_id", + "_document_id", + "action", + "actor_id", + "business", + "org", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "oauth_credential_type", + "request_access_security_header", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Authenticating with single sign-on" }, { "action": "org_credential_authorization.revoke", "description": "An owner revoked authorized credentials.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization", + "fields": [ + "actor", + "org", + "@timestamp", + "owner", + "oauth_application_id", + "org_id", + "operation_type", + "action", + "business", + "request_id", + "created_at", + "business_id", + "actor_id", + "_document_id", + "user_agent", + "oauth_credential_type", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.delete", "description": "An organization was deleted by a user or staff.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "@timestamp", + "_document_id", + "created_at", + "actor", + "org_id", + "org", + "action", + "actor_id", + "operation_type", + "request_id", + "request_access_security_header" + ] }, { "action": "org.disable_member_team_creation_permission", "description": "Team creation was limited to owners.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "actor", + "@timestamp", + "_document_id", + "user", + "user_id", + "action", + "created_at", + "actor_id", + "user_agent", + "org", + "org_id", + "operation_type", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.disable_oauth_app_restrictions", "description": "Third-party application access restrictions for an organization were disabled.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "fields": [ + "actor_id", + "org_id", + "action", + "_document_id", + "request_id", + "@timestamp", + "actor", + "org", + "operation_type", + "user_agent", + "created_at" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization" }, { "action": "org.disable_reader_discussion_creation_permission", "description": "An organization owner limited discussion creation to users with at least triage permission in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.disable_saml", "description": "SAML single sign-on was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "sso_url", + "issuer", + "action", + "@timestamp", + "_document_id", + "created_at", + "org", + "operation_type" + ] }, { "action": "org.disable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the organization was disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" }, { "action": "org.disable_two_factor_requirement", "description": "A two-factor authentication requirement was disabled for the organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "org_id", + "action", + "actor", + "actor_id", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "user_agent" + ] }, { "action": "org.display_commenter_full_name_disabled", "description": "An organization owner disabled the display of a commenter's full name in an organization. Members cannot see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "user", + "action", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "user_agent", + "org", + "actor_id", + "org_id", + "request_id" + ] }, { "action": "org.display_commenter_full_name_enabled", "description": "An organization owner enabled the display of a commenter's full name in an organization. Members can see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_agent", + "request_id", + "actor", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "user", + "action", + "actor_id", + "org_id" + ] }, { "action": "org.enable_member_team_creation_permission", "description": "Team creation by members was allowed.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "org_id", + "user", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "user_agent", + "actor_id", + "org", + "request_id", + "action", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.enable_oauth_app_restrictions", "description": "Third-party application access restrictions for an organization were enabled.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization", + "fields": [ + "actor_id", + "operation_type", + "org", + "created_at", + "_document_id", + "actor", + "org_id", + "action", + "user_agent", + "request_id", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization" }, { "action": "org.enable_reader_discussion_creation_permission", "description": "An organization owner allowed users with read access to create discussions in an organization", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.enable_saml", "description": "SAML single sign-on was enabled for the organization.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization", + "fields": [ + "actor_id", + "action", + "operation_type", + "actor", + "sso_url", + "org", + "created_at", + "@timestamp", + "issuer", + "org_id", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Enabling and testing SAML single sign-on for your organization" }, { "action": "org.enable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the organization was enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" }, { "action": "org.enable_two_factor_requirement", "description": "Two-factor authentication is now required for the organization.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "actor_id", + "action", + "_document_id", + "org", + "@timestamp", + "actor", + "user_agent", + "org_id", + "operation_type", + "created_at", + "request_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.integration_manager_added", "description": "An organization owner granted a member access to manage all GitHub Apps owned by an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "org_id", + "manager", + "@timestamp", + "request_id", + "actor", + "operation_type", + "_document_id", + "actor_id", + "org", + "action", + "created_at" + ] }, { "action": "org.integration_manager_removed", "description": "An organization owner removed access to manage all GitHub Apps owned by an organization from an organization member.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "@timestamp", + "org", + "user_agent", + "request_id", + "action", + "actor", + "actor_id", + "manager", + "operation_type", + "created_at", + "_document_id" + ] }, { "action": "org.invite_member", "description": "A new user was invited to join an organization.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization", + "fields": [ + "org", + "user_id", + "invitation_id", + "org_id", + "user", + "action", + "operation_type", + "_document_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "actor_id", + "request_id", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization" }, { "action": "org.invite_to_business", "description": "An organization was invited to join an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.members_can_update_protected_branches.disable", "description": "The ability for enterprise members to update protected branches was disabled. Only enterprise owners can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "org.members_can_update_protected_branches.enable", "description": "The ability for enterprise members to update protected branches was enabled. Members of an organization can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "org_id", + "user_agent", + "actor_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "request_id", + "_document_id", + "actor", + "user", + "action" + ] }, { "action": "org.oauth_app_access_approved", "description": "Access to an organization was granted for an OAuth App.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization", + "fields": [ + "url", + "actor", + "user_agent", + "request_id", + "actor_id", + "operation_type", + "org_id", + "_document_id", + "org", + "action", + "created_at", + "@timestamp", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization" }, { "action": "org.oauth_app_access_blocked", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "url", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.oauth_app_access_denied", "description": "Access was disabled for an OAuth App that was previously approved.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization", + "fields": [ + "request_id", + "url", + "created_at", + "org_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "org", + "operation_type", + "actor", + "actor_id", + "oauth_application_name" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization" }, { "action": "org.oauth_app_access_requested", "description": "An organization member requested that an owner grant an OAuth App access to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "_document_id", + "request_id", + "url", + "org_id", + "action", + "@timestamp", + "org", + "request_access_security_header", + "oauth_application_name" + ] }, { "action": "org.oauth_app_access_unblocked", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "url", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.rate_limited_invites", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "org_id", + "action", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org" + ] }, { "action": "org.recovery_code_failed", "description": "An organization owner failed to sign into a organization with an external identity provider (IdP) using a recovery code.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "reason", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing your organization if your identity provider is unavailable" }, { "action": "org.recovery_code_used", "description": "An organization owner successfully signed into an organization with an external identity provider (IdP) using a recovery code.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Accessing your organization if your identity provider is unavailable" }, { "action": "org.recovery_codes_downloaded", "description": "An organization owner downloaded the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_generated", "description": "An organization owner generated the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_printed", "description": "An organization owner printed the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_viewed", "description": "An organization owner viewed the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization", + "fields": [ + "actor", + "operation_type", + "@timestamp", + "_document_id", + "request_id", + "org", + "org_id", + "action", + "created_at", + "user_agent", + "actor_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "org.remove_actions_secret", "description": "A GitHub Actions secret was removed from an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.remove_actions_variable", "description": "A GitHub Actions variable was removed from an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "org.remove_billing_manager", "description": "A billing manager was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "user_id", + "user_agent", + "org_id", + "user", + "action", + "_document_id", + "operation_type", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "created_at" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.remove_integration_secret", "description": "A Codespaces or Dependabot secret was removed from an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.remove_member", "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "actor_id", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", + "created_at", + "user", + "operation_type", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.remove_outside_collaborator", "description": "An outside collaborator was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user", + "org_id", + "created_at", + "request_id", + "@timestamp", + "action", + "operation_type", + "user_agent", + "_document_id", + "actor", + "actor_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "org.remove_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization", + "fields": [ + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor_id", + "org", + "created_at", + "actor", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "org.rename", "description": "An organization was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "@timestamp", + "org", + "action", + "actor", + "old_login", + "org_id", + "request_id", + "actor_id", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "org.required_workflow_create", "description": "Triggered when a required workflow is created.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.required_workflow_delete", "description": "Triggered when a required workflow is deleted.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.required_workflow_update", "description": "Triggered when a required workflow is updated.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.restore_member", "description": "An organization member was restored.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization", + "fields": [ + "user", + "actor", + "user_id", + "_document_id", + "action", + "created_at", + "org_id", + "operation_type", + "request_id", + "@timestamp", + "user_agent", + "org", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization" }, { "action": "org.revoke_external_identity", "description": "A member's linked identity was revoked.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity", + "fields": [ + "actor", + "org", + "org_id", + "user", + "operation_type", + "user_id", + "@timestamp", + "action", + "actor_id", + "user_agent", + "_document_id", + "request_id", + "created_at" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.revoke_sso_session", "description": "A member's SAML session was revoked.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity", + "fields": [ + "actor_id", + "created_at", + "user", + "action", + "operation_type", + "@timestamp", + "org", + "org_id", + "user_agent", + "request_id", + "actor", + "user_id", + "_document_id" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.runner_group_created", "description": "A self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_removed", "description": "A self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_renamed", "description": "A self-hosted runner group was renamed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runner_removed", "description": "The REST API was used to remove a self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "org.runner_group_runners_added", "description": "A self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runners_updated", "description": "A runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "org.runner_group_updated", "description": "The configuration of a self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_visiblity_updated", "description": "The visibility of a self-hosted runner group was updated via the REST API.", "docs_reference_links": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "visibility", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_generic_secrets.disabled", "description": "Generic secrets have been disabled at the organization level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "org_secret_scanning_generic_secrets.enabled", "description": "Generic secrets have been enabled at the organization level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "org_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_disabled", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_enabled", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_updated", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_disable", "description": "Push protection for secret scanning was disabled.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_enable", "description": "Push protection for secret scanning was enabled.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_disable", "description": "Push protection for secret scanning was disabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_enable", "description": "Push protection for secret scanning was enabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "org.security_center_export_coverage", "description": "A CSV export was requested on the Coverage page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_overview_dashboard", "description": "A CSV export was requested on the Overview Dashboard page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_risk", "description": "A CSV export was requested on the Risk page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "org_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { "action": "org.set_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "org_id", + "operation_type", + "actor", + "actor_id", + "@timestamp", + "request_id", + "created_at", + "org", + "action" + ] }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "org.sso_response", "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "user_agent", + "actor", + "actor_id", + "org_id", + "@timestamp", + "org", + "issuer", + "business", + "operation_type", + "created_at", + "request_id", + "business_id", + "_document_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.transfer", "description": "An organization was transferred between enterprise accounts.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "from_business", + "to_business", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.transfer_outgoing", "description": "An organization was transferred between enterprise accounts.", "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "business", + "business_id", + "from_business", + "to_business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.unarchive", "description": "The organization was unarchived.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.unblock_user", "description": "A user was unblocked from an organization.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization", + "fields": [ + "oauth_application_id", + "_document_id", + "blocked_user", + "action", + "operation_type", + "@timestamp", + "request_id", + "created_at", + "actor", + "actor_id", + "org", + "org_id", + "user_agent" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization" }, { "action": "org.update_actions_secret", "description": "A GitHub Actions secret was updated for an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "created_at", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.update_actions_settings", "description": "An organization owner or site administrator updated GitHub Actions policy settings for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "updated_allowed_types", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization" }, { "action": "org.update_actions_variable", "description": "A GitHub Actions variable was updated for an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "org.update_default_repository_permission", "description": "The default repository permission level for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "operation_type", + "created_at", + "org", + "org_id", + "request_id", + "@timestamp", + "user_agent", + "permission", + "actor_id", + "old_permission", + "_document_id", + "programmatic_access_type" + ] }, { "action": "org.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "org.update_member", "description": "A person's role was changed from owner to member or member to owner.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "org_id", + "created_at", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "actor_id", + "old_permission", + "permission", + "actor", + "user_agent", + "operation_type", + "org" + ] }, { "action": "org.update_member_repository_creation_permission", "description": "The create repository permission for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "@timestamp", + "request_id", + "actor_id", + "permission", + "created_at", + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" + ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "org.update_new_repository_default_branch_setting", "description": "The name of the default branch was changed for new repositories in the organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization" }, { "action": "org.update_repo_self_hosted_runners_policy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_repo_runners_policy", + "new_repo_runners_policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.update_saml_provider_settings", "description": "An organization's SAML provider settings were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "sso_url", + "actor_id", + "operation_type", + "@timestamp", + "issuer", + "org", + "_document_id", + "actor", + "org_id", + "created_at", + "request_id", + "action" + ] }, { "action": "org.update_terms_of_service", "description": "An organization changed between the Standard Terms of Service and the GitHub Customer Agreement.", "docs_reference_links": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement", + "fields": [ + "request_id", + "org_id", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org", + "action", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement" }, { "action": "organization_default_label.create", "description": "A default label was created for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#creating-a-default-label", + "fields": [ + "request_id", + "actor_id", + "actor", + "org", + "org_id", + "operation_type", + "_document_id", + "action", + "created_at", + "@timestamp", + "user_agent", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#creating-a-default-label" }, { "action": "organization_default_label.destroy", "description": "A default label was deleted for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#deleting-a-default-label", + "fields": [ + "operation_type", + "request_id", + "actor", + "@timestamp", + "_document_id", + "actor_id", + "org_id", + "org", + "action", + "created_at", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#deleting-a-default-label" }, { "action": "organization_default_label.update", "description": "A default label was edited for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#editing-a-default-label", + "fields": [ + "org", + "created_at", + "@timestamp", + "actor", + "action", + "user_agent", + "actor_id", + "org_id", + "operation_type", + "request_id", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#editing-a-default-label" }, { "action": "organization_domain.approve", "description": "A domain was approved for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization" }, { "action": "organization_domain.create", "description": "A domain was added to an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "created_at", + "_document_id", + "domain_name", + "action", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "user_agent", + "actor" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "organization_domain.destroy", "description": "A domain was removed from an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain", + "fields": [ + "action", + "domain_name", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "created_at" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain" }, { "action": "organization_domain.verify", "description": "A domain was verified for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "operation_type", + "domain_name", + "@timestamp", + "user_agent", + "request_id", + "actor", + "action", + "created_at", + "_document_id", + "actor_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "organization_moderators.add_team", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "organization_moderators.add_user", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "organization_moderators.remove_team", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "organization_moderators.remove_user", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type" + ] }, { "action": "organization_projects_change.clear", "description": "An enterprise owner cleared the policy setting for organization-wide project boards in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "actor", + "business_id", + "@timestamp", + "actor_id", + "user", + "user_id", + "action", + "user_agent", + "_document_id", + "created_at", + "operation_type", + "request_id", + "business" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_projects_change.disable", "description": "Organization projects were disabled for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "org_id", + "action", + "user", + "org", + "created_at", + "user_agent", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "actor", + "user_id", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_projects_change.enable", "description": "Organization projects were enabled for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "actor_id", + "org_id", + "created_at", + "user_id", + "org", + "@timestamp", + "_document_id", + "user_agent", + "actor", + "request_id", + "user", + "action", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_role.assign", "description": "An organization role was assigned to a user or team.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "organization_role_id", + "organization_role_name", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.create", "description": "A custom organization role was created in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.destroy", "description": "A custom organization role was deleted in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.revoke", "description": "A user or team was unassigned an organization role.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "organization_role_id", + "organization_role_name", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.update", "description": "A custom organization role was edited in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "old_role_permissions", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "old_base_role" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "packages.package_deleted", "description": "An entire package was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_published", "description": "A package was published or republished to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "ecosystem", + "version_count", + "is_republished", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "packages.package_version_deleted", "description": "A specific package version was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "version", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "ecosystem", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_version_published", "description": "A specific package version was published or republished to a package.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "ecosystem", + "package", + "version", + "actor_id", + "user_agent", + "is_republished", + "actor", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "payment_method.create", "description": "A new payment method was added, such as a new credit card or PayPal account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", + "_document_id", + "action", + "actor", + "actor_id", + "@timestamp", + "created_at", + "request_access_security_header" + ] }, { "action": "payment_method.remove", "description": "A payment method was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", + "operation_type", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "payment_method.update", "description": "An existing payment method was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", + "@timestamp", + "action", + "actor", + "org", + "user_agent", + "_document_id", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "prebuild_configuration.create", "description": "A GitHub Codespaces prebuild configuration for a repository was created.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.destroy", "description": "A GitHub Codespaces prebuild configuration for a repository was deleted.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.run_triggered", "description": "A user initiated a run of a GitHub Codespaces prebuild configuration for a repository branch.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.update", "description": "A GitHub Codespaces prebuild configuration for a repository was edited.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "premium_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_repository_forking.clear", "description": "An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user_id", + "action", + "operation_type", + "@timestamp", + "business_id", + "actor_id", + "user", + "business", + "request_id", + "actor", + "created_at", + "_document_id" + ] }, { "action": "private_repository_forking.disable", "description": "An enterprise owner disabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are never allowed to be forked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "created_at", + "actor_id", + "_document_id", + "actor", + "user", + "repo", + "action", + "user_agent", + "@timestamp", + "org", + "operation_type", + "request_id", + "user_id", + "org_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "private_repository_forking.enable", "description": "An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_id", + "operation_type", + "_document_id", + "action", + "@timestamp", + "repo", + "org", + "business", + "user_agent", + "request_id", + "actor", + "repo_id", + "user", + "org_id", + "created_at", + "business_id" + ] }, { "action": "private_vulnerability_reporting.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { "action": "project.access", "description": "A project board visibility was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "user_agent", + "operation_type", + "user", + "created_at", + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" + ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { "action": "project_collaborator.add", "description": "A collaborator was added to a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "org", + "org_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "public_project", + "project_name", + "project_role", + "old_project_role", + "request_access_security_header" + ] }, { "action": "project_collaborator.remove", "description": "A collaborator was removed from a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project_collaborator.update", "description": "A project collaborator's permission level was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "public_project", + "project_name", + "collaborator_type", + "project_role", + "old_project_role", + "project_id", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project.create", "description": "A project board was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user", + "_document_id", + "request_id", + "user_id", + "user_agent", + "@timestamp", + "actor_id", + "action", + "created_at", + "actor" + ] }, { "action": "project.delete", "description": "A project board was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "actor_id", + "operation_type", + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" + ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { "action": "project.link", "description": "A repository was linked to a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "action", + "actor_id", + "org_id", + "user_agent", + "request_id", + "actor", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" + ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { "action": "project.rename", "description": "A project board was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", + "@timestamp", + "repo", + "_document_id", + "user_agent", + "org_id", + "business_id", + "actor", + "repo_id", + "org", + "business" + ] }, { "action": "project.unlink", "description": "A repository was unlinked from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "operation_type", + "actor", + "action", + "created_at", + "actor_id", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "org", + "org_id" + ] }, { "action": "project.update_org_permission", "description": "The project's base-level permission for all organization members was changed or removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" + ] }, { "action": "project.update_team_permission", "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org_id", + "operation_type", + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" + ] }, { "action": "project.update_user_permission", "description": "A user was added to or removed from a project board or had their permission level changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "operation_type", + "@timestamp", + "actor_id", + "user", + "user_agent", + "actor", + "created_at", + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" + ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project.visibility_private", "description": "A project's visibility was changed from public to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name" + ] }, { "action": "project.visibility_public", "description": "A project's visibility was changed from private to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name", + "request_access_security_header" + ] }, { "action": "protected_branch.authorized_users_teams", "description": "The users, teams, or integrations allowed to bypass a branch protection were changed.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "fields": [ + "repo", + "action", + "org_id", + "user_agent", + "name", + "created_at", + "_document_id", + "operation_type", + "actor", + "repo_id", + "org", + "request_id", + "actor_id", + "oauth_application_id", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches" }, { "action": "protected_branch.branch_allowances", "description": "A protected branch allowance was given to a specific user, team or integration.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "name", + "authorized_actors", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "protected_branch.create", "description": "Branch protection was enabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "repo_id", + "user_id", + "@timestamp", + "user_agent", + "repo", + "name", + "org_id", + "user", + "_document_id", + "request_id", + "actor", + "actor_id", + "org", + "action", + "created_at", + "authorized_actor_names", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.destroy", "description": "Branch protection was disabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "repo", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "repo_id", + "org_id", + "operation_type", + "action", + "user_agent", + "created_at", + "_document_id", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.dismiss_stale_reviews", "description": "Enforcement of dismissing stale pull requests was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "dismiss_stale_reviews_on_push", + "org_id", + "action", + "created_at", + "request_id", + "_document_id", + "@timestamp", + "actor_id", + "repo_id", + "operation_type", + "actor", + "repo", + "org", + "name", + "programmatic_access_type" + ] }, { "action": "protected_branch.dismissal_restricted_users_teams", "description": "Enforcement of restricting users and/or teams who can dismiss reviews was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "actor", + "oauth_application_id", + "authorized_actors_only", + "authorized_actors", + "created_at", + "user_agent", + "name", + "_document_id", + "org_id", + "request_id", + "@timestamp", + "actor_id", + "org", + "action", + "operation_type", + "programmatic_access_type" + ] }, { "action": "protected_branch.policy_override", "description": "A branch protection requirement was overridden by a repository administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "created_at", + "actor", + "reasons", + "@timestamp", + "before", + "after", + "actor_id", + "repo", + "operation_type", + "user_agent", + "branch", + "overridden_codes", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "referrer", + "business", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "rule_suite_id" + ] }, { "action": "protected_branch.rejected_ref_update", "description": "A branch update attempt was rejected.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "@timestamp", + "created_at", + "_document_id", + "business", + "org_id", + "operation_type", + "request_id", + "repo_id", + "actor", + "branch", + "before", + "overridden_codes", + "after", + "action", + "reasons", + "actor_id", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "actor_is_bot", + "rule_suite_id" + ] }, { "action": "protected_branch.update_admin_enforced", "description": "Branch protection was enforced for repository administrators.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "admin_enforced", + "operation_type", + "user_agent", + "actor", + "org", + "name", + "repo", + "@timestamp", + "action", + "repo_id", + "org_id", + "_document_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_allow_deletions_enforcement_level", "description": "Branch deletion was enabled or disabled for a protected branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "operation_type", + "request_id", + "repo", + "@timestamp", + "org_id", + "org", + "action", + "allow_deletions_enforcement_level", + "_document_id", + "created_at", + "actor_id", + "user_agent", + "actor", + "repo_id", + "request_access_security_header" + ] }, { "action": "protected_branch.update_allow_force_pushes_enforcement_level", "description": "Force pushes were enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "actor_id", + "name", + "_document_id", + "actor", + "repo", + "operation_type", + "request_id", + "allow_force_pushes_enforcement_level", + "@timestamp", + "org", + "action", + "created_at", + "user_agent", + "repo_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_ignore_approvals_from_contributors", "description": "Ignoring of approvals from contributors to a pull request was enabled or disabled for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "ignore_approvals_from_contributors", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "protected_branch.update_linear_history_requirement_enforcement_level", "description": "Required linear commit history was enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "operation_type", + "actor", + "linear_history_requirement_enforcement_level", + "repo", + "request_id", + "name", + "org_id", + "repo_id", + "org", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_lock_allows_fetch_and_merge", "description": "Fork syncing was enabled or disabled for a read-only branch", "docs_reference_links": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "lock_allows_fetch_and_merge", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_lock_branch_enforcement_level", "description": "The enforcement of a branch lock was updated.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "enforcement_level", + "lock_branch_enforcement_level", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { "action": "protected_branch.update_name", "description": "A branch name pattern was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "old_name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "protected_branch.update_pull_request_reviews_enforcement_level", "description": "Enforcement of required pull request reviews was updated for a branch. Can be 0 (deactivated), 1 (non-admins), or 2 (everyone).", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "org_id", + "_document_id", + "actor_id", + "@timestamp", + "business_id", + "request_id", + "pull_request_reviews_enforcement_level", + "org", + "repo", + "action", + "business", + "user_agent", + "created_at", + "repo_id", + "operation_type", + "actor", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_code_owner_review", "description": "Enforcement of required code owner review was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "created_at", + "require_code_owner_review", + "operation_type", + "name", + "user_agent", + "action", + "@timestamp", + "actor", + "actor_id", + "repo", + "request_id", + "org", + "repo_id", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_last_push_approval", "description": "Someone other than the person who pushed the last code-modifying commit to the branch must approve pull requests for the branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "require_last_push_approval", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging" }, { "action": "protected_branch.update_required_approving_review_count", "description": "Enforcement of the required number of approvals before merging was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "required_approving_review_count", + "repo", + "request_id", + "repo_id", + "created_at", + "actor", + "operation_type", + "user_agent", + "name", + "org_id", + "action", + "actor_id", + "_document_id", + "org", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_required_status_checks_enforcement_level", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "user_agent", + "@timestamp", + "_document_id", + "name", + "repo", + "action", + "business_id", + "repo_id", + "business", + "actor_id", + "operation_type", + "created_at", + "request_id", + "required_status_checks_enforcement_level", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_signature_requirement_enforcement_level", "description": "Enforcement of required commit signing was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "name", + "@timestamp", + "created_at", + "_document_id", + "request_id", + "repo_id", + "org", + "org_id", + "action", + "actor", + "actor_id", + "signature_requirement_enforcement_level", + "repo", + "user_agent", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_strict_required_status_checks_policy", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "_document_id", + "org", + "@timestamp", + "created_at", + "repo_id", + "org_id", + "user_agent", + "name", + "actor", + "repo", + "operation_type", + "action", + "strict_required_status_checks_policy", + "programmatic_access_type" + ] }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verify", "description": "A user account's SSH key or a repository's deploy key was verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "pull_request.close", "description": "A pull request was closed without being merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request" }, { "action": "pull_request.converted_to_draft", "description": "A pull request was converted to a draft.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft" }, { "action": "pull_request.create", "description": "A pull request was created.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request" }, { "action": "pull_request.create_review_request", "description": "A review was requested on a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.in_progress", "description": "A pull request was marked as in progress.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "pull_request.indirect_merge", "description": "A pull request was considered merged because the pull request's commits were merged into the target branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request.merge", "description": "A pull request was merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request" }, { "action": "pull_request.ready_for_review", "description": "A pull request was marked as ready for review.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review" }, { "action": "pull_request.rebase", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "pull_request_url", + "pull_request_title", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request.remove_review_request", "description": "A review request was removed from a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.reopen", "description": "A pull request was reopened after previously being closed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.create", "description": "A review comment was added to a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "comment_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request_review_comment.delete", "description": "A review comment on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "actor", + "@timestamp", + "_document_id", + "repo", + "created_at", + "request_id", + "comment_id", + "actor_id", + "repo_id", + "action", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.update", "description": "A review comment on a pull request was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "request_id", + "actor_id", + "action", + "created_at", + "actor", + "_document_id", + "@timestamp", + "comment_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review.delete", "description": "A review on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request_review.dismiss", "description": "A review on a pull request was dismissed.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review" }, { "action": "pull_request_review.submit", "description": "A review on a pull request was submitted.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.change_merge_setting", "description": "Pull request merge options were changed for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", + "@timestamp", + "_document_id", + "actor_id", + "operation_type", + "action", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { "action": "repo.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { "action": "repo.codeql_disabled", "description": "Code scanning using the default setup was disabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_enabled", "description": "Code scanning using the default setup was enabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "query_suite", + "threat_model", + "languages", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_updated", "description": "Code scanning using the default setup was updated for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "query_suite", + "threat_model", + "languages", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codespaces_trusted_repo_access_granted", "description": "GitHub Codespaces was granted trusted repository access to this repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "repo.codespaces_trusted_repo_access_revoked", "description": "GitHub Codespaces trusted repository access to this repository was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" }, { "action": "repo.create_actions_secret", "description": "A GitHub Actions secret was created for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { "action": "repo.download_zip", "description": "A source code archive of a repository was downloaded as a ZIP file.", "docs_reference_links": "/repositories/working-with-files/using-files/downloading-source-code-archives", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/working-with-files/using-files/downloading-source-code-archives" }, { "action": "repo.pages_cname", "description": "A GitHub Pages custom domain was modified in a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "@timestamp", + "visibility", + "repo", + "repo_id", + "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", + "created_at", + "_document_id", + "action", + "operation_type", + "old_cname", + "programmatic_access_type" + ] }, { "action": "repo.pages_create", "description": "A GitHub Pages site was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "_document_id", + "user_id", + "visibility", + "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", + "actor", + "repo", + "programmatic_access_type" + ] }, { "action": "repo.pages_destroy", "description": "A GitHub Pages site was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "user_id", + "action", + "request_id", + "user", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", + "visibility", + "operation_type", + "repo_id", + "programmatic_access_type" + ] }, { "action": "repo.pages_https_redirect_disabled", "description": "HTTPS redirects were disabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "actor_id", + "repo_id", + "_document_id", + "user_agent", + "actor", + "visibility", + "user_id", + "request_id", + "repo", + "@timestamp", + "operation_type", + "action", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_https_redirect_enabled", "description": "HTTPS redirects were enabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "user_id", + "created_at", + "visibility", + "actor", + "actor_id", + "user", + "operation_type", + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" + ] }, { "action": "repo.pages_private", "description": "A GitHub Pages site visibility was changed to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_public", "description": "A GitHub Pages site visibility was changed to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete", "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete_restore", "description": "A GitHub Pages site that was previously soft-deleted was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_source", "description": "A GitHub Pages source was modified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "repo_id", + "user", + "_document_id", + "request_id", + "visibility", + "repo", + "created_at", + "action", + "programmatic_access_type" + ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.remove_integration_secret", "description": "A Codespaces or Dependabot secret was deleted for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "repo.remove_topic", "description": "A topic was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", + "actor", + "business", + "request_id", + "repo", + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" + ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { "action": "repo.rename_branch", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "old_branch", + "new_branch", + "default_branch", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.restore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "action", + "_document_id", + "actor_id", + "user", + "operation_type", + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" + ] }, { "action": "repo.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "repo_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "repo.staff_unlock", "description": "An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "created_at", + "actor", + "repo_id", + "action", + "org", + "org_id", + "request_id", + "repo", + "operation_type" + ] }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { "action": "repo.transfer_outgoing", "description": "A repository was transferred to another repository network.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.transfer_start", "description": "A user sent a request to transfer a repository to another user or organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "operation_type", + "user_id", + "request_id", + "user", + "action", + "user_agent", + "created_at", + "actor", + "visibility", + "repo_id", + "actor_id", + "repo", + "request_access_security_header" + ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.update_actions_access_settings", "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "old_policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.update_actions_settings", "description": "A repository administrator changed GitHub Actions policy settings for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.update_default_branch", "description": "The default branch for a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.update_member", "description": "A user's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "_document_id", + "actor", + "repo_id", + "created_at", + "oauth_application_id", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", + "visibility", + "old_permission", + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_advisory.close", "description": "Someone closed a security advisory.", "docs_reference_links": "/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories", + "fields": [ + "actor", + "repo", + "@timestamp", + "business", + "business_id", + "user_agent", + "actor_id", + "request_id", + "action", + "operation_type", + "created_at", + "repo_id", + "_document_id", + "org", + "org_id", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories" }, { "action": "repository_advisory.cve_request", "description": "Someone requested a CVE (Common Vulnerabilities and Exposures) number from GitHub for a draft security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "repo", + "org_id", + "actor", + "action", + "request_id", + "org", + "operation_type", + "@timestamp", + "user_agent", + "actor_id", + "_document_id", + "created_at" + ] }, { "action": "repository_advisory.github_broadcast", "description": "GitHub made a security advisory public in the GitHub Advisory Database.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "repository_advisory.github_withdraw", "description": "GitHub withdrew a security advisory that was published in error.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repository_advisory.open", "description": "Someone opened a draft security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "actor_id", + "actor", + "repo", + "created_at", + "_document_id", + "repo_id", + "action", + "@timestamp", + "request_id", + "request_access_security_header" + ] }, { "action": "repository_advisory.publish", "description": "Someone published a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "actor_id", + "@timestamp", + "actor", + "repo_id", + "_document_id", + "repo", + "business_id", + "business", + "request_id", + "action", + "created_at", + "org_id", + "org" + ] }, { "action": "repository_advisory.reopen", "description": "Someone reopened as draft security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "repo", + "action", + "created_at", + "@timestamp", + "request_id", + "actor_id", + "_document_id", + "actor", + "repo_id", + "public_repo" + ] }, { "action": "repository_advisory.update", "description": "Someone edited a draft or published security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "repo_id", + "org_id", + "business", + "actor", + "user_agent", + "created_at", + "_document_id", + "business_id", + "repo", + "action", + "operation_type", + "org", + "@timestamp", + "request_id" + ] }, { "action": "repository_branch_protection_evaluation.disable", "description": "Branch protections were disabled for the repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_branch_protection_evaluation.enable", "description": "Branch protections were enabled for this repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_content_analysis.disable", "description": "Data use settings were disabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "user", + "repo_id", + "request_id", + "actor_id", + "created_at", + "user_agent", + "action", + "operation_type", + "actor", + "repo", + "user_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_content_analysis.enable", "description": "Data use settings were enabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "user", + "org", + "user_id", + "repo_id", + "@timestamp", + "request_id", + "actor", + "action", + "operation_type", + "created_at", + "actor_id", + "repo", + "user_agent", + "org_id", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_dependency_graph.disable", "description": "The dependency graph was disabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-fea tures-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "repo_id", + "operation_type", + "user_id", + "repo", + "_document_id", + "actor", + "user", + "action", + "@timestamp", + "org_id", + "actor_id", + "org", + "created_at", + "user_agent", + "request_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-fea, tures-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_dependency_graph.enable", "description": "The dependency graph was enabled for a private repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user", + "org", + "org_id", + "action", + "repo", + "user_id", + "created_at", + "user_agent", + "actor_id", + "repo_id", + "operation_type", + "actor", + "@timestamp", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_image.create", "description": "An image to represent a repository was uploaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", + "action", + "request_id", + "actor", + "content_type", + "repo", + "@timestamp", + "_document_id", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "repository_image.destroy", "description": "An image to represent a repository was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", + "_document_id", + "actor", + "repo_id", + "user_agent", + "repo", + "user", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "repository_invitation.accept", "description": "An invitation to join a repository was accepted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "created_at", + "request_id", + "repo", + "invitee", + "operation_type", + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.cancel", "description": "An invitation to join a repository was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "inviter", + "action", + "operation_type", + "_document_id", + "repo_id", + "repo", + "@timestamp", + "user_agent", + "invitee", + "created_at", + "request_id", + "actor", + "actor_id", + "request_access_security_header" + ] }, { "action": "repository_invitation.create", "description": "An invitation to join a repository was sent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", + "repo", + "created_at", + "user_agent", + "repo_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.reject", "description": "An invitation to join a repository was declined.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "_document_id", + "actor", + "invitee", + "action", + "@timestamp", + "request_id", + "actor_id", + "operation_type", + "created_at", + "inviter", + "user_agent", + "repo_id" + ] }, { "action": "repository_projects_change.clear", "description": "The repository projects policy was removed for an organization, or all organizations in the enterprise Organization owners can now control their repository projects settings.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise", + "fields": [ + "request_id", + "created_at", + "_document_id", + "action", + "user_agent", + "user", + "business_id", + "business", + "operation_type", + "actor", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "repository_projects_change.disable", "description": "Repository projects were disabled for a repository, all repositories in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "@timestamp", + "repo", + "action", + "operation_type", + "_document_id", + "actor_id", + "user", + "user_id", + "user_agent", + "repo_id", + "actor", + "request_id", + "programmatic_access_type" + ] }, { "action": "repository_projects_change.enable", "description": "Repository projects were enabled for a repository, all repositories in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "repo_id", + "org", + "request_id", + "user", + "user_agent", + "created_at", + "org_id", + "action", + "user_id", + "operation_type", + "_document_id", + "actor_id", + "repo" + ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { "action": "repository_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning.disable", "description": "Secret scanning was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "public_repo", + "programmatic_access_type" + ], "docs_reference_titles": "About secret scanning" }, { "action": "repository_secret_scanning.enable", "description": "Secret scanning was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "repository_secret_scanning_generic_secrets.disabled", "description": "Generic secrets have been disabled at the repository level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_secret_scanning_generic_secrets.enabled", "description": "Generic secrets have been enabled at the repository level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "repository_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.disable", "description": "Secret scanning push protection was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.enable", "description": "Secret scanning push protection was enabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_security_configuration.applied", "description": "A code security configuration was applied to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.failed", "description": "A code security configuration failed to attach to the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.removed", "description": "A code security configuration was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.removed_by_settings_change", "description": "A code security configuration was removed due to a change in repository or enterprise settings.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_visibility_change.clear", "description": "The repository visibility change setting was cleared for an organization or enterprise.", "docs_reference_links": "/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-changes-to-repository-visibility", + "fields": [ + "created_at", + "_document_id", + "request_id", + "actor_id", + "business", + "action", + "operation_type", + "user", + "user_id", + "business_id", + "@timestamp", + "user_agent", + "actor", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization, Enforcing repository management policies in your enterprise" }, { "action": "repository_visibility_change.disable", "description": "The ability for enterprise members to update a repository's visibility was disabled. Members are unable to change repository visibilities in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "org_id", + "created_at", + "user_agent", + "actor", + "actor_id", + "org", + "operation_type", + "_document_id", + "@timestamp", + "user_id", + "action", + "request_id", + "request_access_security_header" + ] }, { "action": "repository_visibility_change.enable", "description": "The ability for enterprise members to update a repository's visibility was enabled. Members are able to change repository visibilities in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "operation_type", + "_document_id", + "@timestamp", + "user_agent", + "user", + "created_at", + "org", + "org_id", + "action", + "actor_id", + "user_id", + "request_id" + ] }, { "action": "repository_vulnerability_alert.auto_dismiss", "description": "A Dependabot alert was automatically dismissed because its metadata matches an enabled Dependabot rule.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "alert_id", + "alert_number", + "ghsa_id", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "request_access_security_header" + ], "docs_reference_titles": "About Dependabot auto-triage rules" }, { "action": "repository_vulnerability_alert.auto_reopen", "description": "A previously auto-dismissed Dependabot alert was automatically reopened because its metadata no longer matches an enabled Dependabot rule.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "alert_id", + "alert_number", + "ghsa_id", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "request_access_security_header" + ], "docs_reference_titles": "About Dependabot auto-triage rules" }, { "action": "repository_vulnerability_alert.create", "description": "GitHub created a Dependabot alert because the repository uses a vulnerable dependency.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", + "fields": [ + "operation_type", + "request_id", + "repo_id", + "@timestamp", + "user_agent", + "alert_id", + "action", + "repo", + "created_at", + "_document_id", + "token_scopes", + "alert_number", + "programmatic_access_type" + ], "docs_reference_titles": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts" }, { "action": "repository_vulnerability_alert.dismiss", "description": "A Dependabot alert was manually dismissed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "org_id", + "user_id", + "request_id", + "@timestamp", + "operation_type", + "user_agent", + "alert_id", + "actor", + "repo", + "created_at", + "org", + "_document_id", + "action", + "actor_id", + "dismiss_reason", + "user", + "dismiss_comment", + "alert_number", + "actor_is_bot" + ] }, { "action": "repository_vulnerability_alert.reintroduce", "description": "A Dependabot alert was automatically reopened because the repository resumed use of a vulnerable dependency.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "alert_id", + "created_at", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "_document_id", + "@timestamp", + "operation_type", + "token_scopes", + "alert_number" + ] }, { "action": "repository_vulnerability_alert.reopen", "description": "A Dependabot alert was manually reopened.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "alert_id", + "created_at", + "action", + "repo", + "repo_id", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "operation_type", + "business", + "business_id", + "public_repo", + "alert_number", + "request_access_security_header" + ] }, { "action": "repository_vulnerability_alert.resolve", "description": "Changes were pushed to update and resolve a Dependabot alert in a project dependency.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "alert_id", + "repo", + "operation_type", + "action", + "repo_id", + "_document_id", + "user_agent", + "request_id", + "@timestamp", + "created_at", + "actor", + "actor_id", + "token_scopes", + "alert_number", + "programmatic_access_type" + ] }, { "action": "repository_vulnerability_alerts.authorized_users_teams", "description": "The list of people or teams authorized to receive Dependabot alerts for the repository was updated.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts", + "fields": [ + "org", + "_document_id", + "repo", + "org_id", + "operation_type", + "created_at", + "actor", + "action", + "@timestamp", + "user_agent", + "repo_id", + "request_id", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts" }, { "action": "repository_vulnerability_alerts_auto_dismissal.disable", "description": "Automatic dismissal of low-impact Dependabot alerts was disabled for the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repository_vulnerability_alerts_auto_dismissal.enable", "description": "Automatic dismissal of low-impact Dependabot alerts was enabled for the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_vulnerability_alerts.disable", "description": "Dependabot alerts was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "request_id", + "repo_id", + "action", + "actor_id", + "@timestamp", + "created_at", + "actor", + "user_agent", + "org_id", + "user", + "org", + "_document_id", + "user_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_vulnerability_alerts.enable", "description": "Dependabot alerts was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_agent", + "created_at", + "@timestamp", + "repo_id", + "action", + "user", + "repo", + "org", + "org_id", + "actor_id", + "_document_id", + "user_id", + "operation_type", + "request_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "required_status_check.create", "description": "A status check was marked as required for a protected branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "fields": [ + "org", + "actor_id", + "@timestamp", + "business", + "request_id", + "context", + "repo_id", + "action", + "repo", + "_document_id", + "operation_type", + "business_id", + "org_id", + "actor", + "created_at", + "user_agent", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging" }, { "action": "required_status_check.destroy", "description": "A status check was no longer marked as required for a protected branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "fields": [ + "actor_id", + "actor", + "created_at", + "context", + "operation_type", + "@timestamp", + "request_id", + "org", + "user_agent", + "repo_id", + "org_id", + "action", + "_document_id", + "repo", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging" }, { "action": "restrict_notification_delivery.disable", "description": "Email notification restrictions for an organization or enterprise were disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "restrict_notification_delivery.enable", "description": "Email notification restrictions for an organization or enterprise were enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "role.create", "description": "A new custom repository role was created.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "owner", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "role_permissions", + "old_role_permissions" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "role.destroy", "description": "A custom repository role was deleted.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "role.update", "description": "A custom repository role was edited.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "old_role_permissions", + "old_base_role" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "secret_scanning_alert.create", "description": "GitHub detected a secret and created a secret scanning alert.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning_alert.reopen", "description": "A secret scanning alert was reopened.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type_display_name" + ] }, { "action": "secret_scanning_alert.report", "description": "A leaked secret was reported to the secret's provider by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "created_at", + "secret_type_display_name", + "secret_type_provider", + "report_result" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts" }, { "action": "secret_scanning_alert.resolve", "description": "A secret scanning alert was resolved.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "resolution", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_access_security_header" + ] }, { "action": "secret_scanning_alert.revoke", "description": "A secret scanning alert was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "secret_scanning_alert.validate", "description": "A secret scanning alert was validated.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "previous_validity", + "current_validity", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning.disable", "description": "Secret scanning was disabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning.enable", "description": "Secret scanning was enabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.disable", "description": "Secret scanning was disabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.enable", "description": "Secret scanning was enabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_push_protection.bypass", "description": "Triggered when a user bypasses the push protection on a secret detected by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#bypassing-push-protection-for-a-secret", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "push_protection_bypass_reason", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_reviewer", + "request_reviewer_id" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.approve", "description": "A request to bypass secret scanning push protection was approved by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.deny", "description": "A request to bypass secret scanning push protection was denied by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header", + "request_reviewer_comment" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.request", "description": "A user requested to bypass secret scanning push protection.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "security_configuration.create", "description": "A security configuration was created", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "security_configuration_default.delete", "description": "A default security configuration setting for new repositories was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "security_configuration_default.update", "description": "A default security configuration setting for new repositories was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "security_configuration.delete", "description": "A security configuration was deleted", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "security_configuration_policy.update", "description": "A security configuration policy was updated", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enforcement", + "security_configuration_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "security_configuration.update", "description": "A security configuration was updated", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "sponsors.agreement_sign", "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.fiscal_host_change", "description": "The fiscal host for a GitHub Sponsors listing was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.invoiced_agreement_sign", "description": "An agreement for invoiced billing for GitHub Sponsors was signed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/paying-for-github-sponsors-by-invoice", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/paying-for-github-sponsors-by-invoice" }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_disable", "description": "A GitHub Sponsors account was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { "action": "sponsors.sponsored_developer_redraft", "description": "A GitHub Sponsors account was returned to draft state from approved state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id", + "actor", + "actor_id", + "user_id" + ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { "action": "sponsors.update_tier_repository", "description": "A GitHub Sponsors tier changed access for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.update_tier_welcome_message", "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.withdraw_agreement_signature", "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ssh_certificate_authority.create", "description": "An SSH certificate authority for an organization or enterprise was created.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "@timestamp", + "_document_id", + "fingerprint", + "operation_type", + "openssh_public_key", + "org_id", + "actor", + "created_at", + "org", + "action", + "user_agent", + "actor_id", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_authority.destroy", "description": "An SSH certificate authority for an organization or enterprise was deleted.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "created_at", + "_document_id", + "fingerprint", + "operation_type", + "actor", + "org_id", + "openssh_public_key", + "org", + "action", + "user_agent", + "actor_id", + "@timestamp", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.disable", "description": "The requirement for members to use SSH certificates to access an organization resources was disabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "user", + "user_agent", + "operation_type", + "_document_id", + "request_id", + "org", + "org_id", + "created_at", + "actor", + "action", + "user_id", + "business", + "business_id", + "@timestamp", + "actor_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.enable", "description": "The requirement for members to use SSH certificates to access an organization resources was enabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "actor_id", + "user_id", + "org", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user", + "action", + "org_id", + "created_at", + "user_agent" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "staff.dependabot_debug_credentials_generated", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "staff.set_domain_token_expiration", "description": "The verification code expiry time for an organization or enterprise domain was set.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "business_id", + "token_expires_at", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "staff.unverify_domain", "description": "An organization or enterprise domain was unverified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "staff.verify_domain", "description": "An organization or enterprise domain was verified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "domain_name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "team.add_member", "description": "A member of an organization was added to a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team", + "fields": [ + "user_agent", + "request_id", + "org_id", + "user_id", + "team", + "user", + "@timestamp", + "actor_id", + "created_at", + "operation_type", + "_document_id", + "org", + "action", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team" }, { "action": "team.add_repository", "description": "A team was given access and permissions to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "team", + "action", + "operation_type", + "request_id", + "created_at", + "@timestamp", + "org", + "repo", + "actor_id", + "_document_id", + "repo_id", + "user_agent", + "org_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "team.change_parent_team", "description": "A child team was created or a child team's parent was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy", + "fields": [ + "org", + "@timestamp", + "created_at", + "_document_id", + "team", + "action", + "operation_type", + "actor", + "request_id", + "actor_id", + "user_agent", + "org_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy" }, { "action": "team.change_privacy", "description": "A team's privacy level was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/changing-team-visibility", + "fields": [ + "user_agent", + "request_id", + "org", + "action", + "team", + "created_at", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "actor", + "_document_id" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility" }, { "action": "team.create", "description": "A new team is created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "org_id", + "user_agent", + "team", + "org", + "actor", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "team.demote_maintainer", "description": "A user was demoted from a team maintainer to a team member.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member" }, { "action": "team.destroy", "description": "A team was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "team", + "org_id", + "actor_id", + "actor", + "action", + "@timestamp", + "user_agent", + "request_id", + "operation_type", + "_document_id", + "programmatic_access_type" + ] }, { "action": "team_discussions.clear", "description": "An organization owner cleared the setting to allow team discussions for an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "business_id", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "actor_id", + "user", + "business", + "action", + "request_id", + "created_at", + "user_id", + "_document_id" + ] }, { "action": "team_discussions.disable", "description": "Team discussions were disabled for an organization.", "docs_reference_links": "/organizations/organizing-members-into-teams/disabling-team-discussions-for-your-organization", + "fields": [ + "org_id", + "action", + "operation_type", + "request_id", + "actor", + "org", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "_document_id" + ], "docs_reference_titles": "Organizations and teams documentation" }, { "action": "team_discussions.enable", "description": "Team discussions were enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "@timestamp", + "action", + "_document_id", + "user_agent", + "user_id", + "business_id", + "request_id", + "user", + "business", + "operation_type", + "actor", + "created_at" + ] }, { "action": "team_group_mapping.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "actor", + "action", + "operation_type", + "team", + "@timestamp", + "actor_id", + "org", + "_document_id", + "org_id", + "user_agent", + "request_id", + "request_access_security_header" + ] }, { "action": "team_group_mapping.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "@timestamp", + "actor_id", + "_document_id", + "team", + "created_at", + "org_id", + "action", + "request_id", + "user_agent", + "actor", + "org", + "request_access_security_header" + ] }, { "action": "team_group_mapping.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "team.promote_maintainer", "description": "A user was promoted from a team member to a team maintainer.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer" }, { "action": "team.remove_member", "description": "An organization member was removed from a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team", + "fields": [ + "request_id", + "operation_type", + "created_at", + "actor_id", + "org", + "org_id", + "team", + "user_id", + "actor", + "user", + "action", + "@timestamp", + "user_agent", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team" }, { "action": "team.remove_repository", "description": "A repository was removed from a team's control.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "org_id", + "repo", + "repo_id", + "action", + "_document_id", + "actor", + "@timestamp", + "actor_id", + "user_agent", + "created_at", + "team", + "org", + "operation_type", + "programmatic_access_type" + ] }, { "action": "team.rename", "description": "A team's name was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "user_agent", + "created_at", + "team", + "operation_type", + "actor_id", + "org", + "action", + "request_id", + "actor", + "org_id", + "@timestamp", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "team_sync_tenant.disabled", "description": "Team synchronization with a tenant was disabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "action", + "created_at", + "actor", + "request_id", + "org_id", + "actor_id", + "operation_type", + "_document_id", + "@timestamp", + "org", + "user_agent" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team_sync_tenant.enabled", "description": "Team synchronization with a tenant was enabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "org_id", + "business_id", + "actor", + "created_at", + "user_agent", + "@timestamp", + "operation_type", + "business", + "actor_id", + "org", + "request_id", + "action", + "_document_id" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team_sync_tenant.update_okta_credentials", "description": "The Okta credentials for team synchronization with a tenant were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "team.update_repository_permission", "description": "A team's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "team", + "org_id", + "@timestamp", + "org", + "_document_id", + "old_permission", + "request_id", + "repo", + "action", + "repo_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "permission", + "new_repo_permission", + "new_repo_base_role", + "old_repo_permission", + "old_repo_base_role", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "vulnerability_alert_rule.create", "description": "A Dependabot rule was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "vulnerability_alert_rule.delete", "description": "A Dependabot rule was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "vulnerability_alert_rule.disable", "description": "A Dependabot rule was disabled for a single repository or disabled by default for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "vulnerability_alert_rule.enable", "description": "A Dependabot rule was enabled for a single repository or enabled by default for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "vulnerability_alert_rule.force_disable", "description": "A Dependabot rule was enabled for an organization and cannot be disabled for its repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "vulnerability_alert_rule.force_enable", "description": "A Dependabot rule was disabled for an organization and cannot be enabled for its repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "vulnerability_alert_rule.update", "description": "A Dependabot rule's conditions, actions, or metadata changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.bypass_protection_rules", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "workflows.cancel_workflow_run", "description": "A workflow run was cancelled.", "docs_reference_links": "/actions/managing-workflow-runs/canceling-a-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "cancelled_at", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Canceling a workflow" }, { "action": "workflows.comment_workflow_job", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.completed_workflow_run", "description": "A workflow status changed to completed. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "completed_at", + "conclusion", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Viewing workflow run history" }, { "action": "workflows.created_workflow_run", "description": "A workflow run was create. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/learn-github-actions/understanding-github-actions#create-an-example-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Understanding GitHub Actions" }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { "action": "workflows.disable_workflow", "description": "A workflow was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.enable_workflow", "description": "A workflow was enabled, after previously being disabled by disable_workflow.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "workflows.pin_workflow", "description": "A workflow was pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.prepared_workflow_job", "description": "A workflow job was started. Includes the list of secrets that were provided to the job. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/using-workflows/events-that-trigger-workflows", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "business_id", + "business", + "workflow_run_id", + "job_name", + "runner_labels", + "is_hosted_runner", + "environment_name", + "secrets_passed", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp", + "runner_owner_type", + "job_workflow_ref", + "calling_workflow_refs", + "calling_workflow_shas", + "imposer_repo" + ], "docs_reference_titles": "Events that trigger workflows" }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.rerun_workflow_run", "description": "A workflow run was re-run.", "docs_reference_links": "/actions/managing-workflow-runs/re-running-workflows-and-jobs", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "rerun_type", + "check_run_id", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Re-running workflows and jobs" }, { "action": "workflows.unpin_workflow", "description": "A workflow was unpinned after previously being pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/ghes-3.15/user.json b/src/audit-logs/data/ghes-3.15/user.json index ff916632b2a0..9375994631ef 100644 --- a/src/audit-logs/data/ghes-3.15/user.json +++ b/src/audit-logs/data/ghes-3.15/user.json @@ -2,2093 +2,8330 @@ { "action": "account.billing_date_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "operation_type", + "user_agent", + "_document_id", + "created_at", + "action", + "request_id", + "actor", + "actor_id", + "org_id" + ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { "action": "account_recovery_token.confirm", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "token_id", + "user_id", + "user", + "actor", + "operation_type" + ] }, { "action": "account_recovery_token.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "token_id", + "user", + "request_id", + "_document_id", + "user_agent", + "actor", + "user_id", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "account_recovery_token.recover", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "actor", + "user_agent", + "request_id", + "action", + "_document_id", + "user_id", + "token_id" + ] }, { "action": "actions_cache.delete", "description": "A GitHub Actions cache was deleted using the REST API.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "user_id", + "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "artifact.destroy", "description": "A workflow run artifact was manually deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_agent", + "actor_id", + "repo", + "repo_id", + "request_id", + "@timestamp", + "created_at", + "_document_id", + "operation_type", + "programmatic_access_type" + ] }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.lock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "@timestamp", + "actor_id", + "operation_type", + "_document_id", + "request_id", + "actor", + "user", + "user_id", + "user_agent", + "created_at", + "action" + ] }, { "action": "billing.unlock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "operation_type", + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "billing.update_bill_cycle_day", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.set_actions_fork_pr_approvals_policy", "description": "The policy for requiring approvals for workflows from public forks was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "limit", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_fork_pr_workflows_policy", "description": "The policy for fork pull request workflows was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.delete_logs", "description": "Logs in a check suite were deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "actor_id", + "operation_type", + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" + ] }, { "action": "codespaces.allow_permissions", "description": "A codespace using custom permissions from its devcontainer.json file was launched.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "origin_repository", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.connect", "description": "Credentials for a codespace were refreshed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { "action": "codespaces.export_environment", "description": "A codespace was exported to a branch on GitHub.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "codespaces.restore", "description": "A codespace was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.start_environment", "description": "A codespace was started.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "org", + "owner", + "pull_request_id", + "machine_type", + "user_id", + "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "codespaces.suspend_environment", "description": "A codespace was stopped.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "copilot.cfb_seat_added", "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { "action": "copilot.cfb_seat_assignment_refreshed", "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_reused", "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_assignment_unassigned", "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "seat_assignment", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled_by_staff", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "custom_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_repository_access.repositories_updated", "description": "The repositories that Dependabot can access were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates.enable", "description": "Dependabot security updates were enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates_new_repos.enable", "description": "Dependabot security updates were enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph.enable", "description": "The dependency graph was enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph_new_repos.enable", "description": "The dependency graph was enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.delete", "description": "An environment was deleted.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_secret", "description": "A secret was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "gist.create", "description": "A gist was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "user", + "gist_id", + "@timestamp", + "created_at", + "operation_type", + "user_agent", + "actor", + "actor_id", + "visibility", + "action", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "gist.destroy", "description": "A gist was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "gist_id", + "visibility", + "created_at", + "_document_id", + "user", + "request_id", + "operation_type", + "actor", + "actor_id", + "action", + "user_agent", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "gist.visibility_change", "description": "The visibility of a gist was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "user", + "gist_id", + "actor_id", + "request_id", + "visibility", + "user_id", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "git_signing_ssh_public_key.create", "description": "An SSH key was added to a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "git_signing_ssh_public_key.delete", "description": "An SSH key was removed from a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "explanation", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "github_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "github_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "github_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "gpg_key.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "created_at", + "user_id", + "@timestamp", + "user", + "operation_type", + "_document_id", + "actor", + "action", + "user_agent", + "request_access_security_header" + ] }, { "action": "gpg_key.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor", + "actor_id", + "user", + "action", + "created_at", + "_document_id", + "user_agent", + "@timestamp", + "request_access_security_header" + ] }, { "action": "hook.active_changed", "description": "A hook's active status was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "hook.config_changed", "description": "A hook's configuration was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "name", + "org", + "user_agent", + "request_id", + "hook_id", + "repo", + "repo_id", + "created_at", + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { "action": "hook.destroy", "description": "A hook was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", + "operation_type", + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.events_changed", "description": "A hook's configured events were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "operation_type", + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "integration.create", "description": "A GitHub App was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "@timestamp", + "actor", + "user_agent", + "actor_id", + "request_id", + "name", + "user_id", + "_document_id", + "integration", + "created_at", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration.destroy", "description": "A GitHub App was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "actor_id", + "request_id", + "@timestamp", + "name", + "integration", + "user", + "_document_id", + "action", + "operation_type", + "created_at", + "user_agent" + ] }, { "action": "integration.generate_client_secret", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { "action": "integration.remove_client_secret", "description": "A client secret for a GitHub App was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "integration.revoke_all_tokens", "description": "All user tokens for a GitHub App were requested to be revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.revoke_tokens", "description": "Token(s) for a GitHub App were revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" }, { "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "marketplace_agreement_signature.create", "description": "The GitHub Marketplace Developer Agreement was signed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "actor_id", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "created_at", + "action", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "marketplace_listing.approve", "description": "A listing was approved for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "secondary_category", + "actor", + "primary_category", + "user", + "@timestamp", + "_document_id", + "user_id", + "user_agent", + "operation_type", + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" + ] }, { "action": "marketplace_listing.change_category", "description": "A category for a listing for an app in GitHub Marketplace was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", + "@timestamp", + "integration", + "org_id", + "action", + "org", + "secondary_category", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ] }, { "action": "marketplace_listing.create", "description": "A listing for an app in GitHub Marketplace was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", + "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", + "actor", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "marketplace_listing.delist", "description": "A listing was removed from GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "created_at", + "secondary_category", + "operation_type", + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" + ] }, { "action": "marketplace_listing_plan.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "actor", + "action", + "operation_type", + "marketplace_listing", + "has_free_trial", + "user_agent", + "request_id", + "actor_id", + "yearly_price_in_cents", + "description", + "bullets", + "monthly_price_in_cents", + "marketplace_listing_plan", + "_document_id" + ] }, { "action": "marketplace_listing_plan.publish", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "marketplace_listing_plan", + "marketplace_listing", + "description", + "bullets", + "has_free_trial", + "created_at", + "actor_id", + "operation_type", + "_document_id", + "action", + "user_agent", + "request_id", + "actor", + "monthly_price_in_cents", + "yearly_price_in_cents", + "@timestamp" + ] }, { "action": "marketplace_listing_plan.retire", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "marketplace_listing_plan", + "_document_id", + "request_id", + "description", + "yearly_price_in_cents", + "@timestamp", + "created_at", + "actor_id", + "bullets", + "has_free_trial", + "marketplace_listing", + "user_agent", + "monthly_price_in_cents", + "action", + "operation_type" + ] }, { "action": "marketplace_listing_plan.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "monthly_price_in_cents", + "marketplace_listing", + "_document_id", + "action", + "description", + "bullets", + "yearly_price_in_cents", + "request_id", + "actor_id", + "has_free_trial", + "marketplace_listing_plan", + "user_agent", + "@timestamp", + "operation_type", + "actor", + "created_at" + ] }, { "action": "marketplace_listing.redraft", "description": "A listing was sent back to draft state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", + "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", + "actor", + "created_at", + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" + ] }, { "action": "marketplace_listing.reject", "description": "A listing was not accepted for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "merge_queue.pull_request_dequeued", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "merge_queue.pull_request_queue_jump", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.queue_cleared", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.update_settings", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "metered_billing_configuration.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "_document_id", + "user_id", + "action", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "metered_billing_configuration.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "metered_billing_configuration.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "org", + "created_at", + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" + ] }, { "action": "migration.create", "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org_id", + "_document_id", + "org", + "repo_id", + "action", + "actor", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "oauth_access.create", "description": "An OAuth access token was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, /authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token", + "fields": [ + "_document_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "user", + "user_id", + "created_at", + "action", + "actor_id", + "request_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, Managing your personal access tokens" }, { "action": "oauth_access.destroy", "description": "An OAuth access token was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps", + "fields": [ + "@timestamp", + "user_agent", + "action", + "operation_type", + "_document_id", + "actor", + "created_at", + "user", + "user_id", + "request_id", + "explanation", + "hashed_token", + "actor_id", + "token_scopes", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_access.regenerate", "description": "An OAuth access token was regenerated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "_document_id", + "created_at", + "@timestamp", + "operation_type", + "action", + "user_agent", + "request_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "oauth_application_name" + ] }, { "action": "oauth_access.update", "description": "An OAuth access token was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "action", + "@timestamp", + "user", + "user_agent", + "request_access_security_header" + ] }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.generate_client_secret", "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_authorization.create", "description": "An authorization for an OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "operation_type", + "user_agent", + "user_id", + "actor", + "org_id", + "_document_id", + "request_id", + "action", + "@timestamp", + "created_at", + "actor_id", + "user", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_authorization.destroy", "description": "An authorization for an OAuth application was deleted.", "docs_reference_links": "/apps/using-github-apps/reviewing-your-authorized-integrations", + "fields": [ + "user_agent", + "_document_id", + "request_id", + "operation_type", + "@timestamp", + "actor", + "created_at", + "explanation", + "user", + "user_id", + "org_id", + "action", + "actor_id", + "token_scopes", + "actor_is_bot", + "oauth_application_name" + ], "docs_reference_titles": "Reviewing and revoking authorization of GitHub Apps" }, { "action": "org.add_member", "description": "A user joined an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "permission", + "_document_id", + "org", + "operation_type", + "request_id", + "actor", + "user", + "@timestamp", + "created_at", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "org.add_outside_collaborator", "description": "An outside collaborator was added to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "inviter", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.advanced_security_disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_disabled_on_all_repos", "description": "GitHub Advanced Security was disabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_on_all_repos", "description": "GitHub Advanced Security was enabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.remove_member", "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "actor_id", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", + "created_at", + "user", + "operation_type", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.security_center_export_coverage", "description": "A CSV export was requested on the Coverage page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_overview_dashboard", "description": "A CSV export was requested on the Overview Dashboard page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_risk", "description": "A CSV export was requested on the Risk page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "org.update_member", "description": "A person's role was changed from owner to member or member to owner.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "org_id", + "created_at", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "actor_id", + "old_permission", + "permission", + "actor", + "user_agent", + "operation_type", + "org" + ] }, { "action": "org.update_member_repository_creation_permission", "description": "The create repository permission for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "@timestamp", + "request_id", + "actor_id", + "permission", + "created_at", + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" + ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "passkey.register", "description": "A new passkey was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "passkey.remove", "description": "A new passkey was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "payment_method.create", "description": "A new payment method was added, such as a new credit card or PayPal account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", + "_document_id", + "action", + "actor", + "actor_id", + "@timestamp", + "created_at", + "request_access_security_header" + ] }, { "action": "payment_method.remove", "description": "A payment method was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", + "operation_type", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "payment_method.update", "description": "An existing payment method was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", + "@timestamp", + "action", + "actor", + "org", + "user_agent", + "_document_id", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.create", "description": "Triggered when you create a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "personal_access_token.credential_regenerated", "description": "Triggered when you regenerate a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.credential_revoked", "description": "A fine-grained personal access token was revoked by GitHub Advanced Security.", "docs_reference_links": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users", + "fields": [ + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users" }, { "action": "personal_access_token.destroy", "description": "Triggered when you delete a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "explanation", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.update", "description": "A fine-grained personal access token was updated.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens" }, { "action": "premium_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { "action": "project.access", "description": "A project board visibility was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "user_agent", + "operation_type", + "user", + "created_at", + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" + ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { "action": "project_collaborator.add", "description": "A collaborator was added to a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "org", + "org_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "public_project", + "project_name", + "project_role", + "old_project_role", + "request_access_security_header" + ] }, { "action": "project_collaborator.remove", "description": "A collaborator was removed from a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project_collaborator.update", "description": "A project collaborator's permission level was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "public_project", + "project_name", + "collaborator_type", + "project_role", + "old_project_role", + "project_id", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project.create", "description": "A project board was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user", + "_document_id", + "request_id", + "user_id", + "user_agent", + "@timestamp", + "actor_id", + "action", + "created_at", + "actor" + ] }, { "action": "project.delete", "description": "A project board was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "actor_id", + "operation_type", + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" + ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { "action": "project.link", "description": "A repository was linked to a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "action", + "actor_id", + "org_id", + "user_agent", + "request_id", + "actor", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" + ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { "action": "project.rename", "description": "A project board was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", + "@timestamp", + "repo", + "_document_id", + "user_agent", + "org_id", + "business_id", + "actor", + "repo_id", + "org", + "business" + ] }, { "action": "project.unlink", "description": "A repository was unlinked from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "operation_type", + "actor", + "action", + "created_at", + "actor_id", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "org", + "org_id" + ] }, { "action": "project.update_org_permission", "description": "The project's base-level permission for all organization members was changed or removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" + ] }, { "action": "project.update_team_permission", "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org_id", + "operation_type", + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" + ] }, { "action": "project.update_user_permission", "description": "A user was added to or removed from a project board or had their permission level changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "operation_type", + "@timestamp", + "actor_id", + "user", + "user_agent", + "actor", + "created_at", + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" + ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project.visibility_private", "description": "A project's visibility was changed from public to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name" + ] }, { "action": "project.visibility_public", "description": "A project's visibility was changed from private to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name", + "request_access_security_header" + ] }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verify", "description": "A user account's SSH key or a repository's deploy key was verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.change_merge_setting", "description": "Pull request merge options were changed for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", + "@timestamp", + "_document_id", + "actor_id", + "operation_type", + "action", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" }, { "action": "repo.create_actions_secret", "description": "A GitHub Actions secret was created for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { "action": "repo.pages_cname", "description": "A GitHub Pages custom domain was modified in a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "@timestamp", + "visibility", + "repo", + "repo_id", + "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", + "created_at", + "_document_id", + "action", + "operation_type", + "old_cname", + "programmatic_access_type" + ] }, { "action": "repo.pages_create", "description": "A GitHub Pages site was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "_document_id", + "user_id", + "visibility", + "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", + "actor", + "repo", + "programmatic_access_type" + ] }, { "action": "repo.pages_destroy", "description": "A GitHub Pages site was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "user_id", + "action", + "request_id", + "user", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", + "visibility", + "operation_type", + "repo_id", + "programmatic_access_type" + ] }, { "action": "repo.pages_https_redirect_disabled", "description": "HTTPS redirects were disabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "actor_id", + "repo_id", + "_document_id", + "user_agent", + "actor", + "visibility", + "user_id", + "request_id", + "repo", + "@timestamp", + "operation_type", + "action", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_https_redirect_enabled", "description": "HTTPS redirects were enabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "user_id", + "created_at", + "visibility", + "actor", + "actor_id", + "user", + "operation_type", + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" + ] }, { "action": "repo.pages_private", "description": "A GitHub Pages site visibility was changed to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_public", "description": "A GitHub Pages site visibility was changed to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete", "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete_restore", "description": "A GitHub Pages site that was previously soft-deleted was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_source", "description": "A GitHub Pages source was modified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "repo_id", + "user", + "_document_id", + "request_id", + "visibility", + "repo", + "created_at", + "action", + "programmatic_access_type" + ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.remove_integration_secret", "description": "A Codespaces or Dependabot secret was deleted for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "repo.remove_topic", "description": "A topic was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", + "actor", + "business", + "request_id", + "repo", + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" + ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { "action": "repo.restore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "action", + "_document_id", + "actor_id", + "user", + "operation_type", + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" + ] }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "repo.staff_unlock", "description": "An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "created_at", + "actor", + "repo_id", + "action", + "org", + "org_id", + "request_id", + "repo", + "operation_type" + ] }, { "action": "repo.temporary_access_granted", "description": "Temporary access was enabled for a repository.", "docs_reference_links": "/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing user-owned repositories in your enterprise" }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { "action": "repo.transfer_outgoing", "description": "A repository was transferred to another repository network.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.transfer_start", "description": "A user sent a request to transfer a repository to another user or organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "operation_type", + "user_id", + "request_id", + "user", + "action", + "user_agent", + "created_at", + "actor", + "visibility", + "repo_id", + "actor_id", + "repo", + "request_access_security_header" + ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.update_actions_access_settings", "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "old_policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.update_actions_settings", "description": "A repository administrator changed GitHub Actions policy settings for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.update_default_branch", "description": "The default branch for a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.update_member", "description": "A user's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "_document_id", + "actor", + "repo_id", + "created_at", + "oauth_application_id", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", + "visibility", + "old_permission", + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_image.create", "description": "An image to represent a repository was uploaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", + "action", + "request_id", + "actor", + "content_type", + "repo", + "@timestamp", + "_document_id", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "repository_image.destroy", "description": "An image to represent a repository was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", + "_document_id", + "actor", + "repo_id", + "user_agent", + "repo", + "user", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "repository_invitation.accept", "description": "An invitation to join a repository was accepted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "created_at", + "request_id", + "repo", + "invitee", + "operation_type", + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.cancel", "description": "An invitation to join a repository was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "inviter", + "action", + "operation_type", + "_document_id", + "repo_id", + "repo", + "@timestamp", + "user_agent", + "invitee", + "created_at", + "request_id", + "actor", + "actor_id", + "request_access_security_header" + ] }, { "action": "repository_invitation.create", "description": "An invitation to join a repository was sent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", + "repo", + "created_at", + "user_agent", + "repo_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.reject", "description": "An invitation to join a repository was declined.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "_document_id", + "actor", + "invitee", + "action", + "@timestamp", + "request_id", + "actor_id", + "operation_type", + "created_at", + "inviter", + "user_agent", + "repo_id" + ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { "action": "security_key.register", "description": "A security key was registered for an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "created_at", + "user_id", + "action", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user_agent", + "request_access_security_header" + ] }, { "action": "security_key.remove", "description": "A security key was removed from an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "operation_type", + "_document_id", + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "action", + "created_at", + "user", + "request_access_security_header" + ] }, { "action": "sponsors.agreement_sign", "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.fiscal_host_change", "description": "The fiscal host for a GitHub Sponsors listing was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_disable", "description": "A GitHub Sponsors account was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { "action": "sponsors.sponsored_developer_redraft", "description": "A GitHub Sponsors account was returned to draft state from approved state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id", + "actor", + "actor_id", + "user_id" + ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsored_developer_update_newsletter_send", "description": "Triggered when you send an email update to your sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors", + "fields": [ + "request_id", + "actor", + "action", + "user_agent", + "operation_type", + "_document_id", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { "action": "sponsors.update_tier_repository", "description": "A GitHub Sponsors tier changed access for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.update_tier_welcome_message", "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.waitlist_join", "description": "You join the waitlist to join GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "request_id", + "actor", + "user_id", + "user_agent", + "actor_id", + "action", + "operation_type", + "created_at", + "user", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.withdraw_agreement_signature", "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "successor_invitation.accept", "description": "Triggered when you accept a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.cancel", "description": "Triggered when you cancel a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.create", "description": "Triggered when you create a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.decline", "description": "Triggered when you decline a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "successor_invitation.revoke", "description": "Triggered when you revoke a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "trusted_device.register", "description": "A new trusted device was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "trusted_device.remove", "description": "A trusted device was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "two_factor_account_recovery.abort", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "action", + "request_id", + "user_id", + "@timestamp", + "_document_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "two_factor_account_recovery.complete", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "created_at", + "user_id", + "operation_type", + "user", + "_document_id", + "user_agent", + "action" + ] }, { "action": "two_factor_account_recovery.ignore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "created_at", + "user_id", + "operation_type", + "@timestamp", + "user", + "action" + ] }, { "action": "two_factor_account_recovery.staff_approve", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "action", + "_document_id" + ] }, { "action": "two_factor_account_recovery.staff_decline", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user", + "created_at", + "request_id", + "actor_id", + "_document_id" + ] }, { "action": "two_factor_account_recovery.start", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "user_id", + "action", + "_document_id", + "request_access_security_header" + ] }, { "action": "two_factor_account_recovery.two_factor_destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "user", + "_document_id", + "request_id" + ] }, { "action": "two_factor_authentication.add_factor", "description": "A secondary authentication factor was added to a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.disabled", "description": "Two-factor authentication was disabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/disabling-two-factor-authentication-for-your-personal-account", + "fields": [ + "actor", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "actor_id", + "created_at", + "operation_type", + "request_id", + "@timestamp", + "request_access_security_header" + ], "docs_reference_titles": "Disabling two-factor authentication for your personal account" }, { "action": "two_factor_authentication.enabled", "description": "Two-factor authentication was enabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "operation_type", + "user_agent", + "action", + "created_at", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Configuring two-factor authentication" }, { "action": "two_factor_authentication.password_reset_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user", + "user_id", + "action", + "@timestamp", + "request_id", + "_document_id", + "user_agent" + ] }, { "action": "two_factor_authentication.recovery_codes_regenerated", "description": "Two factor recovery codes were regenerated for a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "action", + "user", + "user_agent", + "actor_id", + "@timestamp", + "created_at" + ] }, { "action": "two_factor_authentication.remove_factor", "description": "A secondary authentication factor was removed from a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.sign_in_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "operation_type", + "user_id", + "user", + "user_agent", + "created_at", + "_document_id", + "action", + "@timestamp" + ] }, { "action": "two_factor_authentication.update_fallback", "description": "The two-factor authentication fallback for a user account was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "user", + "user_id", + "operation_type", + "user_agent", + "action", + "request_id", + "actor", + "actor_id" + ] }, { "action": "user.add_email", "description": "An email address was added to a user account.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account", + "fields": [ + "action", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "_document_id", + "actor_id", + "actor", + "email", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account" }, { "action": "user.async_delete", "description": "An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "created_at", + "user", + "@timestamp", + "_document_id", + "request_id", + "actor_id", + "operation_type", + "user_agent", + "action", + "request_access_security_header" + ] }, { "action": "user.audit_log_export", "description": "Audit log entries were exported.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "action", + "request_id", + "actor", + "@timestamp", + "_document_id", + "user_agent", + "user_id", + "operation_type", + "created_at" + ] }, { "action": "user.block_user", "description": "A user was blocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_id", + "_document_id", + "actor_id", + "@timestamp", + "user_agent", + "user", + "request_id", + "blocked_user", + "operation_type", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.change_password", "description": "A user changed their password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "actor", + "user", + "user_id", + "action", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.codespaces_trusted_repo_access_granted", "description": "Triggered when you allow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.codespaces_trusted_repo_access_revoked", "description": "Triggered when you disallow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.create", "description": "A new user account was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "email", + "user_id", + "operation_type", + "@timestamp", + "request_id", + "user", + "created_at", + "_document_id", + "user_agent", + "actor", + "actor_id", + "action", + "programmatic_access_type" + ] }, { "action": "user.create_integration_secret", "description": "A user secret for Codespaces was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.creation_rate_limit_exceeded", "description": "The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "user_agent", + "_document_id", + "operation_type", + "oauth_application_id", + "action", + "actor", + "actor_id", + "request_id", + "user_id", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.delete", "description": "A user account was destroyed by an asynchronous job.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "user_id", + "actor", + "actor_id", + "user", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.demote", "description": "A site administrator was demoted to an ordinary user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "oauth_application_id", + "action", + "user", + "created_at", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "_document_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.destroy", "description": "A user deleted his or her account, triggering user.async_delete.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "user", + "_document_id", + "created_at", + "user_agent", + "user_id", + "operation_type", + "actor_id", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.device_verification_failure", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user", + "user_agent", + "user_id", + "actor_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.device_verification_requested", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user_id", + "actor", + "operation_type", + "created_at", + "_document_id", + "@timestamp", + "user", + "actor_id", + "action", + "request_access_security_header" + ] }, { "action": "user.device_verification_success", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user", + "_document_id", + "action", + "operation_type", + "user_agent", + "created_at", + "request_id", + "actor", + "actor_id", + "user_id", + "request_access_security_header" + ] }, { "action": "user.disable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user_email.confirm_claim", "description": "An enterprise managed user claimed an email address.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "user_email.mark_as_unclaimed", "description": "N/A", "docs_reference_links": "An enterprise managed user unclaimed an email address.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "An, GitHub Help Documentation, managed, user, unclaimed, an, email, address." }, { "action": "user.enable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.failed_login", "description": "A user tried to sign in with an incorrect username, password, or two-factor authentication code.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "operation_type", + "request_id", + "created_at", + "_document_id", + "@timestamp", + "user", + "org_id", + "actor", + "actor_id", + "user_agent" + ] }, { "action": "user.forgot_password", "description": "A user requested a password reset.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials", + "fields": [ + "action", + "_document_id", + "user_agent", + "request_id", + "user", + "operation_type", + "@timestamp", + "email", + "created_at", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials" }, { "action": "user.grant_github_developer", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "created_at", + "user_agent", + "@timestamp", + "_document_id", + "user", + "user_id", + "actor", + "operation_type", + "request_id" + ] }, { "action": "user.hide_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.login", "description": "A user signed in.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user_id", + "actor_id", + "@timestamp", + "user", + "action", + "operation_type", + "_document_id", + "request_id", + "created_at", + "actor", + "passkey_nickname", + "request_access_security_header" + ] }, { "action": "user.logout", "description": "A user signed out.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.new_device_used", "description": "A user signed in from a new device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "action", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ] }, { "action": "user.promote", "description": "An ordinary user account was promoted to a site administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "actor", + "actor_id", + "user", + "@timestamp", + "created_at", + "user_agent", + "oauth_application_id", + "request_id", + "operation_type", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.recreate", "description": "A user's account was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user", + "action", + "actor_id", + "@timestamp", + "_document_id", + "request_id", + "user_id", + "created_at", + "actor", + "operation_type" + ] }, { "action": "user.remove_email", "description": "An email address was removed from a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "@timestamp", + "_document_id", + "request_id", + "user", + "user_id", + "operation_type", + "actor", + "actor_id", + "created_at", + "email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.remove_integration_secret", "description": "A user secret for Codespaces was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.rename", "description": "A username was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "request_id", + "actor_id", + "old_login", + "created_at", + "_document_id", + "actor", + "user_id", + "@timestamp", + "operation_type", + "user_agent", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.reset_password", "description": "A user reset their account password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "user", + "request_id", + "user_id", + "created_at", + "@timestamp", + "_document_id", + "actor", + "operation_type", + "request_access_security_header" + ] }, { "action": "user_session.country_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_id", + "action", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "user.show_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "@timestamp", + "_document_id", + "request_id", + "user_id", + "action", + "actor", + "user", + "operation_type", + "user_agent", + "actor_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.sign_in_from_unrecognized_device", "description": "A user signed in from an unrecognized device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "operation_type", + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.sign_in_from_unrecognized_device_and_location", "description": "A user signed in from an unrecognized device and location.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "request_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user_status.destroy", "description": "Triggered when you clear the status on your profile.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_id", + "actor", + "message", + "user", + "actor_id", + "created_at", + "request_id", + "limited_availability", + "action", + "emoji", + "operation_type", + "user_agent", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user_status.update", "description": "Triggered when you set or change the status on your profile.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status", + "fields": [ + "limited_availability", + "user", + "action", + "actor_id", + "message", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "emoji", + "org", + "actor", + "operation_type", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status" }, { "action": "user.suspend", "description": "A user account was suspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "operation_type", + "actor_id", + "user", + "user_agent", + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user_id", + "action", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.toggle_warn_private_email", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user", + "actor_id", + "@timestamp", + "operation_type", + "_document_id", + "user_agent", + "actor", + "action", + "user_id", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_failure", "description": "A 2FA challenge issued for a user account failed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "_document_id", + "user_agent", + "user", + "actor_id", + "actor", + "user_id", + "@timestamp", + "action", + "request_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_success", "description": "A 2FA challenge issued for a user account succeeded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_id", + "operation_type", + "actor_id", + "user", + "actor", + "user_agent", + "request_id", + "action", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_recover", "description": "A user used their 2FA recovery codes.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "user_agent", + "request_id", + "user", + "action", + "actor", + "actor_id", + "created_at", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_downloaded", "description": "A user downloaded 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "actor_id", + "user", + "request_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_printed", "description": "A user printed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "user_agent", + "request_id", + "user_id", + "created_at", + "_document_id", + "actor", + "actor_id", + "@timestamp" + ] }, { "action": "user.two_factor_recovery_codes_viewed", "description": "A user viewed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_agent", + "actor", + "user_id", + "action", + "created_at", + "user", + "operation_type", + "@timestamp", + "request_id", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_requested", "description": "A user was prompted for a two-factor authentication code.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication", + "fields": [ + "user", + "actor_id", + "action", + "user_agent", + "request_id", + "created_at", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "actor" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication" }, { "action": "user.unblock_user", "description": "A user was unblocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "_document_id", + "blocked_user", + "operation_type", + "actor", + "@timestamp", + "user_agent", + "user_id", + "user", + "created_at", + "request_access_security_header" + ] }, { "action": "user.unsuspend", "description": "A user account was unsuspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "user", + "action", + "user_agent", + "actor", + "oauth_application_id", + "operation_type", + "actor_id", + "created_at", + "@timestamp", + "user_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.update_integration_secret", "description": "A user secret for Codespaces was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.update_new_repository_default_branch_setting", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.bypass_protection_rules", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "workflows.comment_workflow_job", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { "action": "workflows.disable_workflow", "description": "A workflow was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.enable_workflow", "description": "A workflow was enabled, after previously being disabled by disable_workflow.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "workflows.pin_workflow", "description": "A workflow was pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.unpin_workflow", "description": "A workflow was unpinned after previously being pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/ghes-3.16/enterprise.json b/src/audit-logs/data/ghes-3.16/enterprise.json index 3e49a37a0f11..ac956c26a94f 100644 --- a/src/audit-logs/data/ghes-3.16/enterprise.json +++ b/src/audit-logs/data/ghes-3.16/enterprise.json @@ -2,4273 +2,17162 @@ { "action": "account.billing_date_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "operation_type", + "user_agent", + "_document_id", + "created_at", + "action", + "request_id", + "actor", + "actor_id", + "org_id" + ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { "action": "account_recovery_token.confirm", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "token_id", + "user_id", + "user", + "actor", + "operation_type" + ] }, { "action": "account_recovery_token.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "token_id", + "user", + "request_id", + "_document_id", + "user_agent", + "actor", + "user_id", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "account_recovery_token.recover", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "actor", + "user_agent", + "request_id", + "action", + "_document_id", + "user_id", + "token_id" + ] }, { "action": "actions_cache.delete", "description": "A GitHub Actions cache was deleted using the REST API.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "user_id", + "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "api.request", "description": "An API request was made to an endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests", + "fields": [ + "user_agent", + "request_id", + "request_method", + "query_string", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "request_body", + "status_code", + "url_path", + "business", + "business_id", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "route", + "rate_limit_remaining", + "actor_is_bot" + ], "docs_reference_titles": "Streaming the audit log for your enterprise" }, { "action": "artifact.destroy", "description": "A workflow run artifact was manually deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_agent", + "actor_id", + "repo", + "repo_id", + "request_id", + "@timestamp", + "created_at", + "_document_id", + "operation_type", + "programmatic_access_type" + ] }, { "action": "audit_log_streaming.check", "description": "A manual check of the endpoint configured for audit log streaming was performed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "audit_log_stream_result", + "business_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "audit_log_stream_sink_details", + "request_access_security_header" + ] }, { "action": "audit_log_streaming.create", "description": "An endpoint was added for audit log streaming.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business_id", + "business", + "audit_log_stream_sink", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "audit_log_stream_id" + ] }, { "action": "audit_log_streaming.destroy", "description": "An audit log streaming endpoint was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "audit_log_stream_id", + "audit_log_stream_sink_details" + ] }, { "action": "audit_log_streaming.update", "description": "An endpoint configuration was updated for audit log streaming, such as the stream was paused, enabled, or disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "audit_log_stream_enabled", + "business_id", + "business", + "audit_log_stream_sink", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "new_s3_bucket", + "old_s3_bucket", + "secrets_updated", + "new_s3_arn_role", + "old_s3_arn_role", + "new_azure_blob_container", + "old_azure_blob_container", + "new_event_hub_instance", + "old_event_hub_instance", + "new_splunk_domain", + "old_splunk_domain", + "ssl_verify", + "old_gc_bucket" + ] }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.lock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "@timestamp", + "actor_id", + "operation_type", + "_document_id", + "request_id", + "actor", + "user", + "user_id", + "user_agent", + "created_at", + "action" + ] }, { "action": "billing.unlock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "operation_type", + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "billing.update_bill_cycle_day", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.add_admin", "description": "An enterprise owner was added to an enterprise.", "docs_reference_links": "/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise", + "fields": [ + "name", + "business", + "user", + "user_id", + "@timestamp", + "created_at", + "actor", + "actor_id", + "action", + "operation_type", + "request_id", + "business_id", + "_document_id", + "user_agent", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Inviting people to manage your enterprise" }, { "action": "business.add_organization", "description": "An organization was added to an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "operation_type", + "@timestamp", + "actor", + "business_id", + "org", + "action", + "user_agent", + "actor_id", + "name", + "created_at", + "request_id", + "_document_id", + "business", + "organization_upgrade", + "request_access_security_header" + ] }, { "action": "business_advanced_security.disabled", "description": "GitHub Advanced Security was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.disabled_for_new_user_namespace_repos", "description": "GitHub Advanced Security was disabled for new user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.enabled", "description": "GitHub Advanced Security was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.enabled_for_new_user_namespace_repos", "description": "GitHub Advanced Security was enabled for new user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business.advanced_security_policy_update", "description": "An enterprise owner created, updated, or removed a policy for GitHub Advanced Security.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "business.advanced_security_repo_admin_enablement_policy_update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business_advanced_security.user_namespace_repos_disabled", "description": "GitHub Advanced Security was disabled for user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.user_namespace_repos_enabled", "description": "GitHub Advanced Security was enabled for user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business.clear_actions_settings", "description": "An enterprise owner or site administrator cleared GitHub Actions policy settings for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.clear_default_repository_permission", "description": "An enterprise owner cleared the base repository permission policy setting for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-base-repository-permissions", + "fields": [ + "name", + "operation_type", + "business_id", + "user_agent", + "actor_id", + "request_id", + "actor", + "_document_id", + "business", + "action", + "@timestamp", + "created_at" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.clear_members_can_create_repos", "description": "An enterprise owner cleared a restriction on repository creation in organizations in the enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#setting-a-policy-for-repository-creation", + "fields": [ + "user_agent", + "actor_id", + "business_id", + "action", + "_document_id", + "request_id", + "name", + "business", + "visibility", + "created_at", + "actor", + "operation_type", + "@timestamp" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.code_scanning_autofix_policy_update", "description": "The policy for Code scanning autofix was updated for an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.code_scanning_autofix_third_party_tools_policy_update", "description": "The policy for Code scanning autofix third party tools was updated for an enterprise.", "docs_reference_links": "/code-security/getting-started/github-security-features#available-with-github-code-security", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#available-with-github-code-security" }, { "action": "business.create", "description": "An enterprise was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "_document_id", + "action", + "@timestamp", + "request_id", + "name", + "business", + "business_id", + "operation_type", + "actor", + "created_at", + "user_agent", + "request_access_security_header" + ] }, { "action": "business_dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for new repositories in your enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business_dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for new repositories in your enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.dependabot_alerts_repo_admin_enablement_policy_update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.disable_open_scim", "description": "SCIM provisioning for custom integrations that use the REST API was disabled for the enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business.disable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the enterprise was disabled.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Displaying IP addresses in the audit log for your enterprise" }, { "action": "business.disable_two_factor_requirement", "description": "The requirement for members to have two-factor authentication enabled to access an enterprise was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "@timestamp", + "actor", + "business", + "operation_type", + "created_at", + "user_agent", + "business_id", + "actor_id", + "name", + "_document_id", + "request_id" + ] }, { "action": "business.enable_open_scim", "description": "SCIM provisioning for custom integrations that use the REST API was enabled for the enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.enable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the enterprise was enabled.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Displaying IP addresses in the audit log for your enterprise" }, { "action": "business.enable_two_factor_requirement", "description": "The requirement for members to have two-factor authentication enabled to access an enterprise was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "actor", + "operation_type", + "created_at", + "business", + "business_id", + "name", + "_document_id", + "request_id", + "@timestamp" + ] }, { "action": "business.members_can_update_protected_branches.clear", "description": "An enterprise owner unset a policy for whether members of an enterprise can update protected branches on repositories for individual organizations. Organization owners can choose whether to allow updating protected branches settings.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_id", + "business", + "name", + "operation_type", + "user", + "user_agent", + "business_id", + "_document_id" + ] }, { "action": "business.members_can_update_protected_branches.disable", "description": "The ability for enterprise members to update branch protection rules was disabled. Only enterprise owners can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "business.members_can_update_protected_branches.enable", "description": "The ability for enterprise members to update branch protection rules was enabled. Enterprise owners and members can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "actor", + "operation_type", + "_document_id", + "business_id", + "user", + "@timestamp", + "business", + "actor_id", + "created_at", + "action", + "user_agent", + "request_id", + "user_id" + ] }, { "action": "business.remove_admin", "description": "An enterprise owner was removed from an enterprise.", "docs_reference_links": "/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise", + "fields": [ + "actor", + "operation_type", + "user_agent", + "business", + "business_id", + "@timestamp", + "created_at", + "request_id", + "action", + "name", + "actor_id", + "user_id", + "_document_id", + "user" + ], "docs_reference_titles": "Inviting people to manage your enterprise" }, { "action": "business.remove_organization", "description": "An organization was removed from an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "action", + "business", + "actor", + "actor_id", + "request_id", + "created_at", + "user_agent", + "business_id", + "operation_type", + "@timestamp", + "_document_id", + "name", + "org" + ] }, { "action": "business.rename_slug", "description": "The slug for the enterprise URL was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "name", + "business_id", + "user_agent", + "action", + "actor_id", + "operation_type", + "actor", + "@timestamp", + "created_at", + "business", + "_document_id" + ] }, { "action": "business.revoke_sso_session", "description": "The SAML single sign-on session for a member in an enterprise was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "business_id", + "user_agent", + "request_id", + "user", + "operation_type", + "actor", + "_document_id", + "actor_id", + "name", + "@timestamp", + "user_id", + "action", + "created_at", + "business" + ] }, { "action": "business_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the business level", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the business level", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_custom_pattern.create", "description": "An enterprise-level custom pattern was created for secret scanning.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "business_secret_scanning_custom_pattern.delete", "description": "An enterprise-level custom pattern was removed from secret scanning.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business_secret_scanning_custom_pattern.publish", "description": "An enterprise-level custom pattern was published for secret scanning.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your enterprise.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "business_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your enterprise.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "business_secret_scanning_custom_pattern.update", "description": "Changes to an enterprise-level custom pattern were saved and a dry run was executed for secret scanning.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business_secret_scanning.disable", "description": "Secret scanning was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning.disabled_for_new_repos", "description": "Secret scanning was disabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning.enable", "description": "Secret scanning was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning.enabled_for_new_repos", "description": "Secret scanning was enabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the enterprise level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "business_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the enterprise level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "business_secret_scanning_push_protection_custom_message.disable", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_custom_message.enable", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_custom_message.update", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.disable", "description": "Push protection for secret scanning was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.disabled_for_new_repos", "description": "Push protection for secret scanning was disabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.enable", "description": "Push protection for secret scanning was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.enabled_for_new_repos", "description": "Push protection for secret scanning was enabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed", "description": "The push protection setting was changed for a secret type for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "secret_type", + "secret_type_display_name", + "push_protection_setting" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business.secret_scanning_repo_admin_settings_policy_update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business.security_center_export_code_scanning_metrics", "description": "A CSV export was requested on the \"CodeQL pull request alerts\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.security_center_export_coverage", "description": "A CSV export was requested on the \"Coverage\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.security_center_export_overview_dashboard", "description": "A CSV export was requested on the \"Overview Dashboard\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.security_center_export_risk", "description": "A CSV export was requested on the \"Risk\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "business.set_actions_fork_pr_approvals_policy", "description": "The policy for requiring approvals for workflows from public forks was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "limit", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_fork_pr_workflows_policy", "description": "The policy for fork pull request workflows was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.sso_response", "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your enterprise. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "issuer", + "name", + "user_agent", + "action", + "@timestamp", + "_document_id", + "actor", + "business", + "business_id", + "actor_id", + "created_at", + "request_id", + "operation_type", + "request_access_security_header" + ] }, { "action": "business.update_actions_settings", "description": "An enterprise owner or site administrator updated GitHub Actions policy settings for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "updated_github_owned_allowed", + "updated_verified_allowed", + "updated_patterns", + "new_policy", + "old_policy", + "updated_access_policy" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.update_default_repository_permission", "description": "The base repository permission setting was updated for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-base-repository-permissions", + "fields": [ + "business_id", + "operation_type", + "user_agent", + "actor", + "actor_id", + "permission", + "action", + "created_at", + "@timestamp", + "request_id", + "name", + "_document_id", + "old_permission", + "business" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.update_member_repository_creation_permission", "description": "The repository creation setting was updated for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-creation", + "fields": [ + "created_at", + "_document_id", + "request_id", + "name", + "business_id", + "actor", + "actor_id", + "@timestamp", + "operation_type", + "permission", + "action", + "business", + "user_agent", + "visibility" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.update_member_repository_invitation_permission", "description": "The policy setting for enterprise members inviting outside collaborators to repositories was updated.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-inviting-outside-collaborators-to-repositories", + "fields": [ + "business_id", + "created_at", + "action", + "operation_type", + "@timestamp", + "request_id", + "permission", + "actor", + "actor_id", + "name", + "_document_id", + "user_agent", + "business" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.delete_logs", "description": "Logs in a check suite were deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "actor_id", + "operation_type", + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" + ] }, { "action": "code_scanning.alert_appeared_in_branch", "description": "Existing code scanning alerts appeared in a branch.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_became_fixed", "description": "Code scanning alerts were fixed.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_by_user", "description": "Code scanning alerts were manually dismissed.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "actor_id", + "request_id", + "actor", + "org_id", + "org", + "business_id", + "business", + "alert_numbers", + "dismissal_approver_id" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_created", "description": "Code scanning alerts were seen for the first time.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_reappeared", "description": "Code scanning alerts that were previously fixed reappeared.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_reopened_by_user", "description": "Code scanning alerts that were previously dismissed were reopened.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "actor_id", + "request_id", + "actor", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code.search", "description": "A code search was run targeting an organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/search-github/github-code-search", + "fields": [ + "@timestamp", + "action", + "actor_id", + "business_id", + "query", + "org_id", + "user_id", + "_document_id", + "search_string" + ], "docs_reference_titles": "/search-github/github-code-search" }, { "action": "codespaces.allow_permissions", "description": "A codespace using custom permissions from its devcontainer.json file was launched.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "origin_repository", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.connect", "description": "Credentials for a codespace were refreshed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { "action": "codespaces.export_environment", "description": "A codespace was exported to a branch on GitHub.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "codespaces.restore", "description": "A codespace was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.start_environment", "description": "A codespace was started.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "org", + "owner", + "pull_request_id", + "machine_type", + "user_id", + "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "codespaces.suspend_environment", "description": "A codespace was stopped.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "copilot.cfb_seat_added", "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { "action": "copilot.cfb_seat_assignment_refreshed", "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_reused", "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_assignment_unassigned", "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "seat_assignment", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled_by_staff", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "custom_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_property_definition.create", "description": "A new custom property definition was created.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.destroy", "description": "A custom property definition was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id", + "allowed_values" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.update", "description": "A custom property definition was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "value_type", + "required", + "default_value", + "old_allowed_values", + "allowed_values", + "definition_id", + "old_required", + "old_default_value", + "old_value_type", + "old_values_editable_by", + "values_editable_by", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.create", "description": "A repository's custom property value was manually set for the first time.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "definition_id", + "property_name", + "value", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.destroy", "description": "A repository's custom property value was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.update", "description": "A repository's custom property value was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_repository_access.repositories_updated", "description": "The repositories that Dependabot can access were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates.enable", "description": "Dependabot security updates were enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates_new_repos.enable", "description": "Dependabot security updates were enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph.enable", "description": "The dependency graph was enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph_new_repos.enable", "description": "The dependency graph was enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "discussion_post.destroy", "description": "Triggered when a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "request_id", + "team", + "created_at", + "user_id", + "@timestamp", + "number", + "org", + "title", + "actor", + "actor_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.destroy", "description": "Triggered when a reply to a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "actor_id", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user_id", + "actor", + "number", + "user", + "created_at", + "request_id", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.update", "description": "Triggered when a reply to a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "action", + "_document_id", + "request_id", + "org", + "@timestamp", + "actor_id", + "operation_type", + "user", + "user_id", + "org_id", + "user_agent", + "actor", + "number", + "team", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "discussion_post.update", "description": "Triggered when a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "created_at", + "_document_id", + "title", + "user", + "user_agent", + "org", + "operation_type", + "actor_id", + "@timestamp", + "actor", + "team", + "action", + "org_id", + "request_id", + "user_id", + "number" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "enterprise_announcement.create", "description": "A global announcement banner was created for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global-announcement-banner", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.destroy", "description": "A global announcement banner was removed from the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.update", "description": "A global announcement banner was updated for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "old_message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "enterprise_domain.approve", "description": "A domain was approved for an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#approving-a-domain-for-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_domain.create", "description": "A domain was added to an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#verifying-a-domain-for-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_domain.destroy", "description": "A domain was removed from an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#removing-an-approved-or-verified-domain", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_domain.verify", "description": "A domain was verified for an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#verifying-a-domain-for-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise.register_self_hosted_runner", "description": "A new GitHub Actions self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "enterprise.remove_self_hosted_runner", "description": "A GitHub Actions self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "enterprise.runner_group_created", "description": "A GitHub Actions self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "enterprise.runner_group_removed", "description": "A GitHub Actions self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "enterprise.runner_group_runner_removed", "description": "The REST API was used to remove a GitHub Actions self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "enterprise.runner_group_runners_added", "description": "A GitHub Actions self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "enterprise.runner_group_runners_updated", "description": "A GitHub Actions runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "enterprise.runner_group_updated", "description": "The configuration of a GitHub Actions self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "enterprise.self_hosted_runner_offline", "description": "The GitHub Actions runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "business_id", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "enterprise.self_hosted_runner_online", "description": "The GitHub Actions runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "business_id", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "enterprise.self_hosted_runner_updated", "description": "The GitHub Actions runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "business_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "enterprise_team.add_member", "description": "A new member was added to the enterprise team or an IdP group linked to an enterprise team, or an IdP group was linked to an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "user", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "enterprise_team.copilot_assignment", "description": "A license for GitHub Copilot was assigned to an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "enterprise_team.copilot_unassignment", "description": "A license for GitHub Copilot was unassigned from an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "enterprise_team.create", "description": "A new enterprise team was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "enterprise_team.destroy", "description": "An enterprise team was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "enterprise_team.remove_member", "description": "A member was removed from the enterprise team or an IdP group linked to an enterprise team, or an IdP group was unlinked from an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "user", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "enterprise_team.rename", "description": "The name of an enterprise team was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.delete", "description": "An environment was deleted.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_secret", "description": "A secret was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "external_group.add_member", "description": "A user was added to an external group.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "external_group", + "external_group_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_group.delete", "description": "An external group was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "scim_group_id" + ] }, { "action": "external_group.link", "description": "An external group was linked to a GitHub team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "external_group_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "external_group", + "programmatic_access_type", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_group.provision", "description": "An external group was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "external_group.remove_member", "description": "A user was removed from an external group.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "external_group", + "external_group_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "external_group.scim_api_failure", "description": "Failed external group SCIM API request.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_group_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_group.scim_api_success", "description": "Successful external group SCIM API request. Excludes GET API requests.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_group.unlink", "description": "An external group was unlinked to a GitHub team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "external_group_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "external_group" + ] }, { "action": "external_group.update", "description": "An external group was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_group.update_display_name", "description": "An external group's display name was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "external_group_id", + "external_group", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_identity.deprovision", "description": "An external identity was deprovisioned, suspending the linked GitHub user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "external_identity.provision", "description": "An external identity was created and linked to a GitHub user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "action", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "scim_user_id", + "request_access_security_header" + ] }, { "action": "external_identity.scim_api_failure", "description": "Failed external identity SCIM API request.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_user_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_identity.scim_api_success", "description": "Successful external identity SCIM API request. Excludes GET API requests.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_identity.update", "description": "An external identity was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "action", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "scim_user_id", + "request_access_security_header" + ] }, { "action": "gist.create", "description": "A gist was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "user", + "gist_id", + "@timestamp", + "created_at", + "operation_type", + "user_agent", + "actor", + "actor_id", + "visibility", + "action", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "gist.destroy", "description": "A gist was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "gist_id", + "visibility", + "created_at", + "_document_id", + "user", + "request_id", + "operation_type", + "actor", + "actor_id", + "action", + "user_agent", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "gist.visibility_change", "description": "The visibility of a gist was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "user", + "gist_id", + "actor_id", + "request_id", + "visibility", + "user_id", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "git.clone", "description": "A repository was cloned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.fetch", "description": "Changes were fetched from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.push", "description": "Changes were pushed to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git_signing_ssh_public_key.create", "description": "An SSH key was added to a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "git_signing_ssh_public_key.delete", "description": "An SSH key was removed from a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "explanation", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "github_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "github_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "github_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "gpg_key.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "created_at", + "user_id", + "@timestamp", + "user", + "operation_type", + "_document_id", + "actor", + "action", + "user_agent", + "request_access_security_header" + ] }, { "action": "gpg_key.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor", + "actor_id", + "user", + "action", + "created_at", + "_document_id", + "user_agent", + "@timestamp", + "request_access_security_header" + ] }, { "action": "hook.active_changed", "description": "A hook's active status was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "hook.config_changed", "description": "A hook's configuration was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "name", + "org", + "user_agent", + "request_id", + "hook_id", + "repo", + "repo_id", + "created_at", + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { "action": "hook.destroy", "description": "A hook was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", + "operation_type", + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.events_changed", "description": "A hook's configured events were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "operation_type", + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "integration.create", "description": "A GitHub App was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "@timestamp", + "actor", + "user_agent", + "actor_id", + "request_id", + "name", + "user_id", + "_document_id", + "integration", + "created_at", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration.destroy", "description": "A GitHub App was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "actor_id", + "request_id", + "@timestamp", + "name", + "integration", + "user", + "_document_id", + "action", + "operation_type", + "created_at", + "user_agent" + ] }, { "action": "integration.generate_client_secret", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { "action": "integration.remove_client_secret", "description": "A client secret for a GitHub App was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "integration.revoke_all_tokens", "description": "All user tokens for a GitHub App were requested to be revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.revoke_tokens", "description": "Token(s) for a GitHub App were revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" }, { "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "ip_allow_list.disable", "description": "An IP allow list was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "actor", + "request_id", + "org", + "user_agent", + "_document_id", + "user_id", + "actor_id", + "created_at", + "org_id", + "action", + "@timestamp", + "user" + ] }, { "action": "ip_allow_list.disable_for_installed_apps", "description": "An IP allow list was disabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list.disable_user_level_enforcement", "description": "IP allow list user level enforcement was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ip_allow_list.enable", "description": "An IP allow list was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "business", + "user_id", + "request_id", + "actor", + "user", + "business_id", + "_document_id", + "action", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "org", + "created_at" + ] }, { "action": "ip_allow_list.enable_for_installed_apps", "description": "An IP allow list was enabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list.enable_user_level_enforcement", "description": "IP allow list user level enforcement was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ip_allow_list_entry.create", "description": "An IP address was added to an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "active", + "org", + "ip_allow_list_entry", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "actor_id", + "business_id", + "org_id", + "business", + "actor", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.destroy", "description": "An IP address was deleted from an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "ip_allow_list_entry", + "org", + "operation_type", + "created_at", + "active", + "action", + "@timestamp", + "business", + "business_id", + "user_agent", + "org_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.update", "description": "An IP address or its description was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "actor", + "org", + "action", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "ip_allow_list_entry", + "active", + "org_id", + "@timestamp" + ] }, { "action": "marketplace_agreement_signature.create", "description": "The GitHub Marketplace Developer Agreement was signed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "actor_id", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "created_at", + "action", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "marketplace_listing.approve", "description": "A listing was approved for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "secondary_category", + "actor", + "primary_category", + "user", + "@timestamp", + "_document_id", + "user_id", + "user_agent", + "operation_type", + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" + ] }, { "action": "marketplace_listing.change_category", "description": "A category for a listing for an app in GitHub Marketplace was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", + "@timestamp", + "integration", + "org_id", + "action", + "org", + "secondary_category", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ] }, { "action": "marketplace_listing.create", "description": "A listing for an app in GitHub Marketplace was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", + "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", + "actor", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "marketplace_listing.delist", "description": "A listing was removed from GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "created_at", + "secondary_category", + "operation_type", + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" + ] }, { "action": "marketplace_listing_plan.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "actor", + "action", + "operation_type", + "marketplace_listing", + "has_free_trial", + "user_agent", + "request_id", + "actor_id", + "yearly_price_in_cents", + "description", + "bullets", + "monthly_price_in_cents", + "marketplace_listing_plan", + "_document_id" + ] }, { "action": "marketplace_listing_plan.publish", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "marketplace_listing_plan", + "marketplace_listing", + "description", + "bullets", + "has_free_trial", + "created_at", + "actor_id", + "operation_type", + "_document_id", + "action", + "user_agent", + "request_id", + "actor", + "monthly_price_in_cents", + "yearly_price_in_cents", + "@timestamp" + ] }, { "action": "marketplace_listing_plan.retire", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "marketplace_listing_plan", + "_document_id", + "request_id", + "description", + "yearly_price_in_cents", + "@timestamp", + "created_at", + "actor_id", + "bullets", + "has_free_trial", + "marketplace_listing", + "user_agent", + "monthly_price_in_cents", + "action", + "operation_type" + ] }, { "action": "marketplace_listing_plan.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "monthly_price_in_cents", + "marketplace_listing", + "_document_id", + "action", + "description", + "bullets", + "yearly_price_in_cents", + "request_id", + "actor_id", + "has_free_trial", + "marketplace_listing_plan", + "user_agent", + "@timestamp", + "operation_type", + "actor", + "created_at" + ] }, { "action": "marketplace_listing.redraft", "description": "A listing was sent back to draft state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", + "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", + "actor", + "created_at", + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" + ] }, { "action": "marketplace_listing.reject", "description": "A listing was not accepted for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "merge_queue.pull_request_dequeued", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "merge_queue.pull_request_queue_jump", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.queue_cleared", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.update_settings", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "metered_billing_configuration.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "_document_id", + "user_id", + "action", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "metered_billing_configuration.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "metered_billing_configuration.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "org", + "created_at", + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" + ] }, { "action": "migration.create", "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org_id", + "_document_id", + "org", + "repo_id", + "action", + "actor", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "oauth_access.create", "description": "An OAuth access token was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, /authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token", + "fields": [ + "_document_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "user", + "user_id", + "created_at", + "action", + "actor_id", + "request_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, Managing your personal access tokens" }, { "action": "oauth_access.destroy", "description": "An OAuth access token was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps", + "fields": [ + "@timestamp", + "user_agent", + "action", + "operation_type", + "_document_id", + "actor", + "created_at", + "user", + "user_id", + "request_id", + "explanation", + "hashed_token", + "actor_id", + "token_scopes", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_access.regenerate", "description": "An OAuth access token was regenerated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "_document_id", + "created_at", + "@timestamp", + "operation_type", + "action", + "user_agent", + "request_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "oauth_application_name" + ] }, { "action": "oauth_access.update", "description": "An OAuth access token was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "action", + "@timestamp", + "user", + "user_agent", + "request_access_security_header" + ] }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.generate_client_secret", "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.suspend", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user_agent", + "org_id", + "org", + "operation_type", + "oauth_application_id", + "action", + "created_at", + "actor", + "actor_id", + "oauth_application", + "_document_id", + "request_id" + ] }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.unsuspend", "description": "An OAuth application was unsuspended for a user or organization account.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "operation_type", + "org_id", + "action", + "oauth_application_id", + "oauth_application", + "org", + "created_at", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_authorization.create", "description": "An authorization for an OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "operation_type", + "user_agent", + "user_id", + "actor", + "org_id", + "_document_id", + "request_id", + "action", + "@timestamp", + "created_at", + "actor_id", + "user", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_authorization.destroy", "description": "An authorization for an OAuth application was deleted.", "docs_reference_links": "/apps/using-github-apps/reviewing-your-authorized-integrations", + "fields": [ + "user_agent", + "_document_id", + "request_id", + "operation_type", + "@timestamp", + "actor", + "created_at", + "explanation", + "user", + "user_id", + "org_id", + "action", + "actor_id", + "token_scopes", + "actor_is_bot", + "oauth_application_name" + ], "docs_reference_titles": "Reviewing and revoking authorization of GitHub Apps" }, { "action": "oauth_authorization.update", "description": "An authorization for an OAuth application was updated.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "org_id", + "request_id", + "user_id", + "actor", + "actor_id", + "user_agent", + "@timestamp", + "operation_type", + "action", + "user", + "created_at", + "_document_id", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "org.accept_business_invitation", "description": "An invitation sent to an organization to join an enterprise was accepted.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.add_billing_manager", "description": "A billing manager was added to an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization", + "fields": [ + "operation_type", + "_document_id", + "user_agent", + "org", + "user_id", + "action", + "created_at", + "org_id", + "user", + "actor", + "actor_id", + "@timestamp", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization" }, { "action": "org.add_member", "description": "A user joined an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "permission", + "_document_id", + "org", + "operation_type", + "request_id", + "actor", + "user", + "@timestamp", + "created_at", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "org.add_outside_collaborator", "description": "An outside collaborator was added to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "inviter", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.add_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.advanced_security_disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_disabled_on_all_repos", "description": "GitHub Advanced Security was disabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_on_all_repos", "description": "GitHub Advanced Security was enabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_policy_selected_member_disabled", "description": "An enterprise owner prevented GitHub Advanced Security features from being enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_enabled", "description": "An enterprise owner allowed GitHub Advanced Security features to be enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.async_delete", "description": "A user initiated a background job to delete an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "request_id", + "org", + "org_id", + "user_agent", + "created_at" + ] }, { "action": "org.billing_signup_error", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_agent", + "action", + "@timestamp", + "actor_id", + "org_id", + "_document_id", + "actor", + "org", + "operation_type" + ] }, { "action": "org.block_user", "description": "An organization owner blocked a user from accessing the organization's repositories.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization", + "fields": [ + "actor", + "user_agent", + "org_id", + "created_at", + "_document_id", + "blocked_user", + "action", + "operation_type", + "actor_id", + "org", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization" }, { "action": "org.cancel_business_invitation", "description": "An invitation for an organization to join an enterprise was revoked", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "initiated_from" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.cancel_invitation", "description": "An invitation sent to a user to join an organization was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "org_id", + "request_id", + "email", + "@timestamp", + "actor", + "action", + "operation_type", + "user_agent", + "org", + "invitation_id", + "_document_id", + "created_at", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.clear_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "org.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_third_party_tools_disabled", "description": "Autofix for third party tools for code scanning alerts was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_third_party_tools_enabled", "description": "Autofix for third party tools for code scanning alerts was enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.codeql_disabled", "description": "Code scanning using the default setup was disabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codeql_enabled", "description": "Code scanning using the default setup was enabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.config.disable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "request_id", + "org", + "action", + "operation_type", + "_document_id", + "actor", + "actor_id", + "@timestamp", + "user_agent", + "org_id", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "operation_type", + "@timestamp", + "created_at", + "user_agent", + "action", + "actor_id", + "org", + "_document_id", + "actor", + "org_id", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "_document_id", + "operation_type", + "actor_id", + "org_id", + "action", + "created_at", + "actor", + "org", + "@timestamp", + "user_agent", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "actor", + "org", + "org_id", + "request_id", + "operation_type", + "action", + "user_agent" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor", + "actor_id", + "org_id", + "action", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "org", + "created_at", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor_id", + "request_id", + "action", + "created_at", + "user_agent", + "actor", + "_document_id", + "org_id", + "operation_type", + "org", + "@timestamp" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.confirm_business_invitation", "description": "An invitation for an organization to join an enterprise was confirmed.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.create", "description": "An organization was created.", "docs_reference_links": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch", + "fields": [ + "request_id", + "org", + "actor_id", + "actor", + "action", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "org_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch" }, { "action": "org.delete", "description": "An organization was deleted by a user or staff.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "@timestamp", + "_document_id", + "created_at", + "actor", + "org_id", + "org", + "action", + "actor_id", + "operation_type", + "request_id", + "request_access_security_header" + ] }, { "action": "org.disable_member_team_creation_permission", "description": "Team creation was limited to owners.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "actor", + "@timestamp", + "_document_id", + "user", + "user_id", + "action", + "created_at", + "actor_id", + "user_agent", + "org", + "org_id", + "operation_type", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.disable_reader_discussion_creation_permission", "description": "An organization owner limited discussion creation to users with at least triage permission in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.disable_saml", "description": "SAML single sign-on was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "sso_url", + "issuer", + "action", + "@timestamp", + "_document_id", + "created_at", + "org", + "operation_type" + ] }, { "action": "org.disable_two_factor_requirement", "description": "A two-factor authentication requirement was disabled for the organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "org_id", + "action", + "actor", + "actor_id", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "user_agent" + ] }, { "action": "org.display_commenter_full_name_disabled", "description": "An organization owner disabled the display of a commenter's full name in an organization. Members cannot see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "user", + "action", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "user_agent", + "org", + "actor_id", + "org_id", + "request_id" + ] }, { "action": "org.display_commenter_full_name_enabled", "description": "An organization owner enabled the display of a commenter's full name in an organization. Members can see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_agent", + "request_id", + "actor", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "user", + "action", + "actor_id", + "org_id" + ] }, { "action": "org.enable_member_team_creation_permission", "description": "Team creation by members was allowed.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "org_id", + "user", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "user_agent", + "actor_id", + "org", + "request_id", + "action", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.enable_reader_discussion_creation_permission", "description": "An organization owner allowed users with read access to create discussions in an organization", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.enable_saml", "description": "SAML single sign-on was enabled for the organization.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization", + "fields": [ + "actor_id", + "action", + "operation_type", + "actor", + "sso_url", + "org", + "created_at", + "@timestamp", + "issuer", + "org_id", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Enabling and testing SAML single sign-on for your organization" }, { "action": "org.enable_two_factor_requirement", "description": "Two-factor authentication is now required for the organization.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "actor_id", + "action", + "_document_id", + "org", + "@timestamp", + "actor", + "user_agent", + "org_id", + "operation_type", + "created_at", + "request_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.integration_manager_added", "description": "An organization owner granted a member access to manage all GitHub Apps owned by an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "org_id", + "manager", + "@timestamp", + "request_id", + "actor", + "operation_type", + "_document_id", + "actor_id", + "org", + "action", + "created_at" + ] }, { "action": "org.integration_manager_removed", "description": "An organization owner removed access to manage all GitHub Apps owned by an organization from an organization member.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "@timestamp", + "org", + "user_agent", + "request_id", + "action", + "actor", + "actor_id", + "manager", + "operation_type", + "created_at", + "_document_id" + ] }, { "action": "org.invite_member", "description": "A new user was invited to join an organization.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization", + "fields": [ + "org", + "user_id", + "invitation_id", + "org_id", + "user", + "action", + "operation_type", + "_document_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "actor_id", + "request_id", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization" }, { "action": "org.invite_to_business", "description": "An organization was invited to join an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.members_can_update_protected_branches.disable", "description": "The ability for enterprise members to update protected branches was disabled. Only enterprise owners can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "org.members_can_update_protected_branches.enable", "description": "The ability for enterprise members to update protected branches was enabled. Members of an organization can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "org_id", + "user_agent", + "actor_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "request_id", + "_document_id", + "actor", + "user", + "action" + ] }, { "action": "org.rate_limited_invites", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "org_id", + "action", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org" + ] }, { "action": "org.recreate", "description": "An organization was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "action", + "operation_type", + "_document_id", + "user_agent", + "actor_id", + "@timestamp", + "request_id", + "actor", + "org_id" + ] }, { "action": "org.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization", + "fields": [ + "actor", + "operation_type", + "@timestamp", + "_document_id", + "request_id", + "org", + "org_id", + "action", + "created_at", + "user_agent", + "actor_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "org.remove_billing_manager", "description": "A billing manager was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "user_id", + "user_agent", + "org_id", + "user", + "action", + "_document_id", + "operation_type", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "created_at" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.remove_member", "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "actor_id", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", + "created_at", + "user", + "operation_type", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.remove_outside_collaborator", "description": "An outside collaborator was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user", + "org_id", + "created_at", + "request_id", + "@timestamp", + "action", + "operation_type", + "user_agent", + "_document_id", + "actor", + "actor_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "org.remove_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization", + "fields": [ + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor_id", + "org", + "created_at", + "actor", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "org.rename", "description": "An organization was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "@timestamp", + "org", + "action", + "actor", + "old_login", + "org_id", + "request_id", + "actor_id", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "org.restore_member", "description": "An organization member was restored.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization", + "fields": [ + "user", + "actor", + "user_id", + "_document_id", + "action", + "created_at", + "org_id", + "operation_type", + "request_id", + "@timestamp", + "user_agent", + "org", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization" }, { "action": "org.runner_group_created", "description": "A self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_removed", "description": "A self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runner_removed", "description": "The REST API was used to remove a self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "org.runner_group_runners_added", "description": "A self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runners_updated", "description": "A runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "org.runner_group_updated", "description": "The configuration of a self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_disabled", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_enabled", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_updated", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_disable", "description": "Push protection for secret scanning was disabled.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_enable", "description": "Push protection for secret scanning was enabled.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_disable", "description": "Push protection for secret scanning was disabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_enable", "description": "Push protection for secret scanning was enabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed", "description": "The push protection setting was changed for a secret type for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "secret_type", + "secret_type_display_name", + "push_protection_setting" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "org.security_center_export_code_scanning_metrics", "description": "A CSV export was requested on the CodeQL pull request alerts page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "org.security_center_export_coverage", "description": "A CSV export was requested on the Coverage page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_overview_dashboard", "description": "A CSV export was requested on the Overview Dashboard page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_risk", "description": "A CSV export was requested on the Risk page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "org_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { "action": "org.set_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "org_id", + "operation_type", + "actor", + "actor_id", + "@timestamp", + "request_id", + "created_at", + "org", + "action" + ] }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "org.sso_response", "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "user_agent", + "actor", + "actor_id", + "org_id", + "@timestamp", + "org", + "issuer", + "business", + "operation_type", + "created_at", + "request_id", + "business_id", + "_document_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.transform", "description": "A user account was converted into an organization.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/converting-a-user-into-an-organization", + "fields": [ + "actor", + "_document_id", + "request_id", + "operation_type", + "actor_id", + "org_id", + "org", + "action", + "@timestamp", + "created_at", + "user_agent", + "owner", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/converting-a-user-into-an-organization" }, { "action": "org.unblock_user", "description": "A user was unblocked from an organization.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization", + "fields": [ + "oauth_application_id", + "_document_id", + "blocked_user", + "action", + "operation_type", + "@timestamp", + "request_id", + "created_at", + "actor", + "actor_id", + "org", + "org_id", + "user_agent" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization" }, { "action": "org.update_actions_settings", "description": "An organization owner or site administrator updated GitHub Actions policy settings for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "updated_allowed_types", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization" }, { "action": "org.update_default_repository_permission", "description": "The default repository permission level for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "operation_type", + "created_at", + "org", + "org_id", + "request_id", + "@timestamp", + "user_agent", + "permission", + "actor_id", + "old_permission", + "_document_id", + "programmatic_access_type" + ] }, { "action": "org.update_member", "description": "A person's role was changed from owner to member or member to owner.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "org_id", + "created_at", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "actor_id", + "old_permission", + "permission", + "actor", + "user_agent", + "operation_type", + "org" + ] }, { "action": "org.update_member_repository_creation_permission", "description": "The create repository permission for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "@timestamp", + "request_id", + "actor_id", + "permission", + "created_at", + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" + ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "org.update_saml_provider_settings", "description": "An organization's SAML provider settings were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "sso_url", + "actor_id", + "operation_type", + "@timestamp", + "issuer", + "org", + "_document_id", + "actor", + "org_id", + "created_at", + "request_id", + "action" + ] }, { "action": "org.update_terms_of_service", "description": "An organization changed between the Standard Terms of Service and the GitHub Customer Agreement.", "docs_reference_links": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement", + "fields": [ + "request_id", + "org_id", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org", + "action", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement" }, { "action": "organization_domain.approve", "description": "A domain was approved for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization" }, { "action": "organization_domain.create", "description": "A domain was added to an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "created_at", + "_document_id", + "domain_name", + "action", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "user_agent", + "actor" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "organization_domain.destroy", "description": "A domain was removed from an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain", + "fields": [ + "action", + "domain_name", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "created_at" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain" }, { "action": "organization_domain.verify", "description": "A domain was verified for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "operation_type", + "domain_name", + "@timestamp", + "user_agent", + "request_id", + "actor", + "action", + "created_at", + "_document_id", + "actor_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "packages.package_deleted", "description": "An entire package was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_published", "description": "A package was published or republished to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "ecosystem", + "version_count", + "is_republished", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "packages.package_version_deleted", "description": "A specific package version was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "version", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "ecosystem", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_version_published", "description": "A specific package version was published or republished to a package.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "ecosystem", + "package", + "version", + "actor_id", + "user_agent", + "is_republished", + "actor", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "passkey.register", "description": "A new passkey was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "passkey.remove", "description": "A new passkey was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "payment_method.create", "description": "A new payment method was added, such as a new credit card or PayPal account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", + "_document_id", + "action", + "actor", + "actor_id", + "@timestamp", + "created_at", + "request_access_security_header" + ] }, { "action": "payment_method.remove", "description": "A payment method was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", + "operation_type", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "payment_method.update", "description": "An existing payment method was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", + "@timestamp", + "action", + "actor", + "org", + "user_agent", + "_document_id", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.create", "description": "Triggered when you create a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "personal_access_token.credential_regenerated", "description": "Triggered when you regenerate a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.credential_revoked", "description": "A fine-grained personal access token was revoked by GitHub Advanced Security.", "docs_reference_links": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users", + "fields": [ + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users" }, { "action": "personal_access_token.destroy", "description": "Triggered when you delete a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "explanation", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.expiration_limit_set", "description": "A personal access token expiration limit was set.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "token_expiration", + "old_token_expiration", + "exempt_administrators", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.expiration_limit_unset", "description": "A personal access token expiration limit was unset.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "old_token_expiration", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.update", "description": "A fine-grained personal access token was updated.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens" }, { "action": "premium_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { "action": "project.access", "description": "A project board visibility was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "user_agent", + "operation_type", + "user", + "created_at", + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" + ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { "action": "project_collaborator.add", "description": "A collaborator was added to a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "org", + "org_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "public_project", + "project_name", + "project_role", + "old_project_role", + "request_access_security_header" + ] }, { "action": "project_collaborator.remove", "description": "A collaborator was removed from a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project_collaborator.update", "description": "A project collaborator's permission level was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "public_project", + "project_name", + "collaborator_type", + "project_role", + "old_project_role", + "project_id", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project.create", "description": "A project board was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user", + "_document_id", + "request_id", + "user_id", + "user_agent", + "@timestamp", + "actor_id", + "action", + "created_at", + "actor" + ] }, { "action": "project.delete", "description": "A project board was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "actor_id", + "operation_type", + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" + ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { "action": "project.link", "description": "A repository was linked to a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "action", + "actor_id", + "org_id", + "user_agent", + "request_id", + "actor", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" + ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { "action": "project.rename", "description": "A project board was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", + "@timestamp", + "repo", + "_document_id", + "user_agent", + "org_id", + "business_id", + "actor", + "repo_id", + "org", + "business" + ] }, { "action": "project.unlink", "description": "A repository was unlinked from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "operation_type", + "actor", + "action", + "created_at", + "actor_id", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "org", + "org_id" + ] }, { "action": "project.update_org_permission", "description": "The project's base-level permission for all organization members was changed or removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" + ] }, { "action": "project.update_team_permission", "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org_id", + "operation_type", + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" + ] }, { "action": "project.update_user_permission", "description": "A user was added to or removed from a project board or had their permission level changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "operation_type", + "@timestamp", + "actor_id", + "user", + "user_agent", + "actor", + "created_at", + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" + ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project.visibility_private", "description": "A project's visibility was changed from public to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name" + ] }, { "action": "project.visibility_public", "description": "A project's visibility was changed from private to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name", + "request_access_security_header" + ] }, { "action": "protected_branch.authorized_users_teams", "description": "The users, teams, or integrations allowed to bypass a branch protection were changed.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "fields": [ + "repo", + "action", + "org_id", + "user_agent", + "name", + "created_at", + "_document_id", + "operation_type", + "actor", + "repo_id", + "org", + "request_id", + "actor_id", + "oauth_application_id", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches" }, { "action": "protected_branch.branch_allowances", "description": "A protected branch allowance was given to a specific user, team or integration.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "name", + "authorized_actors", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "protected_branch.create", "description": "Branch protection was enabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "repo_id", + "user_id", + "@timestamp", + "user_agent", + "repo", + "name", + "org_id", + "user", + "_document_id", + "request_id", + "actor", + "actor_id", + "org", + "action", + "created_at", + "authorized_actor_names", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.destroy", "description": "Branch protection was disabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "repo", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "repo_id", + "org_id", + "operation_type", + "action", + "user_agent", + "created_at", + "_document_id", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.dismiss_stale_reviews", "description": "Enforcement of dismissing stale pull requests was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "dismiss_stale_reviews_on_push", + "org_id", + "action", + "created_at", + "request_id", + "_document_id", + "@timestamp", + "actor_id", + "repo_id", + "operation_type", + "actor", + "repo", + "org", + "name", + "programmatic_access_type" + ] }, { "action": "protected_branch.dismissal_restricted_users_teams", "description": "Enforcement of restricting users and/or teams who can dismiss reviews was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "actor", + "oauth_application_id", + "authorized_actors_only", + "authorized_actors", + "created_at", + "user_agent", + "name", + "_document_id", + "org_id", + "request_id", + "@timestamp", + "actor_id", + "org", + "action", + "operation_type", + "programmatic_access_type" + ] }, { "action": "protected_branch.policy_override", "description": "A branch protection requirement was overridden by a repository administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "created_at", + "actor", + "reasons", + "@timestamp", + "before", + "after", + "actor_id", + "repo", + "operation_type", + "user_agent", + "branch", + "overridden_codes", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "referrer", + "business", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "rule_suite_id" + ] }, { "action": "protected_branch.rejected_ref_update", "description": "A branch update attempt was rejected.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "@timestamp", + "created_at", + "_document_id", + "business", + "org_id", + "operation_type", + "request_id", + "repo_id", + "actor", + "branch", + "before", + "overridden_codes", + "after", + "action", + "reasons", + "actor_id", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "actor_is_bot", + "rule_suite_id" + ] }, { "action": "protected_branch.update_admin_enforced", "description": "Branch protection was enforced for repository administrators.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "admin_enforced", + "operation_type", + "user_agent", + "actor", + "org", + "name", + "repo", + "@timestamp", + "action", + "repo_id", + "org_id", + "_document_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_allow_deletions_enforcement_level", "description": "Branch deletion was enabled or disabled for a protected branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "operation_type", + "request_id", + "repo", + "@timestamp", + "org_id", + "org", + "action", + "allow_deletions_enforcement_level", + "_document_id", + "created_at", + "actor_id", + "user_agent", + "actor", + "repo_id", + "request_access_security_header" + ] }, { "action": "protected_branch.update_allow_force_pushes_enforcement_level", "description": "Force pushes were enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "actor_id", + "name", + "_document_id", + "actor", + "repo", + "operation_type", + "request_id", + "allow_force_pushes_enforcement_level", + "@timestamp", + "org", + "action", + "created_at", + "user_agent", + "repo_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_ignore_approvals_from_contributors", "description": "Ignoring of approvals from contributors to a pull request was enabled or disabled for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "ignore_approvals_from_contributors", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "protected_branch.update_linear_history_requirement_enforcement_level", "description": "Required linear commit history was enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "operation_type", + "actor", + "linear_history_requirement_enforcement_level", + "repo", + "request_id", + "name", + "org_id", + "repo_id", + "org", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_lock_allows_fetch_and_merge", "description": "Fork syncing was enabled or disabled for a read-only branch", "docs_reference_links": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "lock_allows_fetch_and_merge", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_lock_branch_enforcement_level", "description": "The enforcement of a branch lock was updated.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "enforcement_level", + "lock_branch_enforcement_level", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { "action": "protected_branch.update_name", "description": "A branch name pattern was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "old_name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "protected_branch.update_pull_request_reviews_enforcement_level", "description": "Enforcement of required pull request reviews was updated for a branch. Can be 0 (deactivated), 1 (non-admins), or 2 (everyone).", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "org_id", + "_document_id", + "actor_id", + "@timestamp", + "business_id", + "request_id", + "pull_request_reviews_enforcement_level", + "org", + "repo", + "action", + "business", + "user_agent", + "created_at", + "repo_id", + "operation_type", + "actor", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_code_owner_review", "description": "Enforcement of required code owner review was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "created_at", + "require_code_owner_review", + "operation_type", + "name", + "user_agent", + "action", + "@timestamp", + "actor", + "actor_id", + "repo", + "request_id", + "org", + "repo_id", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_last_push_approval", "description": "Someone other than the person who pushed the last code-modifying commit to the branch must approve pull requests for the branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "require_last_push_approval", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging" }, { "action": "protected_branch.update_required_approving_review_count", "description": "Enforcement of the required number of approvals before merging was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "required_approving_review_count", + "repo", + "request_id", + "repo_id", + "created_at", + "actor", + "operation_type", + "user_agent", + "name", + "org_id", + "action", + "actor_id", + "_document_id", + "org", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_required_status_checks_enforcement_level", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "user_agent", + "@timestamp", + "_document_id", + "name", + "repo", + "action", + "business_id", + "repo_id", + "business", + "actor_id", + "operation_type", + "created_at", + "request_id", + "required_status_checks_enforcement_level", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_signature_requirement_enforcement_level", "description": "Enforcement of required commit signing was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "name", + "@timestamp", + "created_at", + "_document_id", + "request_id", + "repo_id", + "org", + "org_id", + "action", + "actor", + "actor_id", + "signature_requirement_enforcement_level", + "repo", + "user_agent", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_strict_required_status_checks_policy", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "_document_id", + "org", + "@timestamp", + "created_at", + "repo_id", + "org_id", + "user_agent", + "name", + "actor", + "repo", + "operation_type", + "action", + "strict_required_status_checks_policy", + "programmatic_access_type" + ] }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verify", "description": "A user account's SSH key or a repository's deploy key was verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "pull_request.close", "description": "A pull request was closed without being merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request" }, { "action": "pull_request.converted_to_draft", "description": "A pull request was converted to a draft.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft" }, { "action": "pull_request.create", "description": "A pull request was created.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request" }, { "action": "pull_request.create_review_request", "description": "A review was requested on a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.in_progress", "description": "A pull request was marked as in progress.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "pull_request.indirect_merge", "description": "A pull request was considered merged because the pull request's commits were merged into the target branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request.merge", "description": "A pull request was merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request" }, { "action": "pull_request.ready_for_review", "description": "A pull request was marked as ready for review.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review" }, { "action": "pull_request.rebase", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "pull_request_url", + "pull_request_title", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request.remove_review_request", "description": "A review request was removed from a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.reopen", "description": "A pull request was reopened after previously being closed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.create", "description": "A review comment was added to a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "comment_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request_review_comment.delete", "description": "A review comment on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "actor", + "@timestamp", + "_document_id", + "repo", + "created_at", + "request_id", + "comment_id", + "actor_id", + "repo_id", + "action", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.update", "description": "A review comment on a pull request was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "request_id", + "actor_id", + "action", + "created_at", + "actor", + "_document_id", + "@timestamp", + "comment_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review.delete", "description": "A review on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request_review.dismiss", "description": "A review on a pull request was dismissed.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review" }, { "action": "pull_request_review.submit", "description": "A review on a pull request was submitted.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.change_merge_setting", "description": "Pull request merge options were changed for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", + "@timestamp", + "_document_id", + "actor_id", + "operation_type", + "action", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { "action": "repo.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_third_party_tools_disabled", "description": "Autofix for third party tools for code scanning alerts was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_third_party_tools_enabled", "description": "Autofix for third party tools for code scanning alerts was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { "action": "repo.codeql_disabled", "description": "Code scanning using the default setup was disabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_enabled", "description": "Code scanning using the default setup was enabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "query_suite", + "threat_model", + "languages", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_updated", "description": "Code scanning using the default setup was updated for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "query_suite", + "threat_model", + "languages", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "visibility", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" }, { "action": "repo.create_actions_secret", "description": "A GitHub Actions secret was created for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { "action": "repo.disk_archive", "description": "A repository was archived on disk.", "docs_reference_links": "/repositories/archiving-a-github-repository/archiving-repositories", + "fields": [ + "actor_id", + "repo", + "operation_type", + "@timestamp", + "created_at", + "request_id", + "_document_id", + "repo_id", + "actor", + "action", + "user_agent" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository/archiving-repositories" }, { "action": "repo.download_zip", "description": "A source code archive of a repository was downloaded as a ZIP file.", "docs_reference_links": "/repositories/working-with-files/using-files/downloading-source-code-archives", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/working-with-files/using-files/downloading-source-code-archives" }, { "action": "repo.hide_from_discovery", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_agent", + "org", + "operation_type", + "visibility", + "repo_id", + "created_at", + "actor", + "action", + "@timestamp", + "org_id", + "request_id", + "repo", + "_document_id" + ] }, { "action": "repo.noindex", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo_id", + "request_id", + "action", + "_document_id", + "@timestamp", + "actor_id", + "created_at", + "user", + "operation_type", + "actor", + "user_agent", + "repo", + "user_id", + "public_repo" + ] }, { "action": "repo.override_unlock", "description": "The repository was unlocked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_build", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "action", + "_document_id", + "actor_id", + "repo", + "repo_id", + "operation_type", + "user_agent", + "request_id", + "created_at", + "visibility", + "actor", + "user_id" + ] }, { "action": "repo.pages_cname", "description": "A GitHub Pages custom domain was modified in a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "@timestamp", + "visibility", + "repo", + "repo_id", + "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", + "created_at", + "_document_id", + "action", + "operation_type", + "old_cname", + "programmatic_access_type" + ] }, { "action": "repo.pages_create", "description": "A GitHub Pages site was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "_document_id", + "user_id", + "visibility", + "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", + "actor", + "repo", + "programmatic_access_type" + ] }, { "action": "repo.pages_destroy", "description": "A GitHub Pages site was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "user_id", + "action", + "request_id", + "user", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", + "visibility", + "operation_type", + "repo_id", + "programmatic_access_type" + ] }, { "action": "repo.pages_https_redirect_disabled", "description": "HTTPS redirects were disabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "actor_id", + "repo_id", + "_document_id", + "user_agent", + "actor", + "visibility", + "user_id", + "request_id", + "repo", + "@timestamp", + "operation_type", + "action", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_https_redirect_enabled", "description": "HTTPS redirects were enabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "user_id", + "created_at", + "visibility", + "actor", + "actor_id", + "user", + "operation_type", + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" + ] }, { "action": "repo.pages_private", "description": "A GitHub Pages site visibility was changed to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_public", "description": "A GitHub Pages site visibility was changed to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete", "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete_restore", "description": "A GitHub Pages site that was previously soft-deleted was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_source", "description": "A GitHub Pages source was modified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "repo_id", + "user", + "_document_id", + "request_id", + "visibility", + "repo", + "created_at", + "action", + "programmatic_access_type" + ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.remove_integration_secret", "description": "A Codespaces or Dependabot secret was deleted for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "repo.remove_topic", "description": "A topic was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", + "actor", + "business", + "request_id", + "repo", + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" + ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { "action": "repo.require_login", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "visibility", + "operation_type", + "repo", + "_document_id", + "user", + "user_id", + "actor", + "actor_id", + "user_agent", + "repo_id", + "action", + "@timestamp", + "request_id" + ] }, { "action": "repo.restore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "action", + "_document_id", + "actor_id", + "user", + "operation_type", + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" + ] }, { "action": "repo.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "repo_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "repo.staff_unlock", "description": "An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "created_at", + "actor", + "repo_id", + "action", + "org", + "org_id", + "request_id", + "repo", + "operation_type" + ] }, { "action": "repo.temporary_access_granted", "description": "Temporary access was enabled for a repository.", "docs_reference_links": "/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing user-owned repositories in your enterprise" }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { "action": "repo.transfer_outgoing", "description": "A repository was transferred to another repository network.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.transfer_start", "description": "A user sent a request to transfer a repository to another user or organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "operation_type", + "user_id", + "request_id", + "user", + "action", + "user_agent", + "created_at", + "actor", + "visibility", + "repo_id", + "actor_id", + "repo", + "request_access_security_header" + ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.update_actions_access_settings", "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "old_policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.update_actions_settings", "description": "A repository administrator changed GitHub Actions policy settings for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.update_default_branch", "description": "The default branch for a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.update_member", "description": "A user's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "_document_id", + "actor", + "repo_id", + "created_at", + "oauth_application_id", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", + "visibility", + "old_permission", + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_branch_protection_evaluation.disable", "description": "Branch protections were disabled for the repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_branch_protection_evaluation.enable", "description": "Branch protections were enabled for this repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_image.create", "description": "An image to represent a repository was uploaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", + "action", + "request_id", + "actor", + "content_type", + "repo", + "@timestamp", + "_document_id", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "repository_image.destroy", "description": "An image to represent a repository was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", + "_document_id", + "actor", + "repo_id", + "user_agent", + "repo", + "user", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "repository_invitation.accept", "description": "An invitation to join a repository was accepted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "created_at", + "request_id", + "repo", + "invitee", + "operation_type", + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.cancel", "description": "An invitation to join a repository was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "inviter", + "action", + "operation_type", + "_document_id", + "repo_id", + "repo", + "@timestamp", + "user_agent", + "invitee", + "created_at", + "request_id", + "actor", + "actor_id", + "request_access_security_header" + ] }, { "action": "repository_invitation.create", "description": "An invitation to join a repository was sent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", + "repo", + "created_at", + "user_agent", + "repo_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.reject", "description": "An invitation to join a repository was declined.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "_document_id", + "actor", + "invitee", + "action", + "@timestamp", + "request_id", + "actor_id", + "operation_type", + "created_at", + "inviter", + "user_agent", + "repo_id" + ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { "action": "repository_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning.disable", "description": "Secret scanning was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "public_repo", + "programmatic_access_type" + ], "docs_reference_titles": "About secret scanning" }, { "action": "repository_secret_scanning.enable", "description": "Secret scanning was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "repository_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.disable", "description": "Secret scanning push protection was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.enable", "description": "Secret scanning push protection was enabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_security_configuration.applied", "description": "A code security configuration was applied to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.failed", "description": "A code security configuration failed to attach to the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.removed", "description": "A code security configuration was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.removed_by_settings_change", "description": "A code security configuration was removed due to a change in repository or enterprise settings.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "restrict_notification_delivery.disable", "description": "Email notification restrictions for an organization or enterprise were disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "restrict_notification_delivery.enable", "description": "Email notification restrictions for an organization or enterprise were enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "secret_scanning_alert.create", "description": "GitHub detected a secret and created a secret scanning alert.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning_alert.reopen", "description": "A secret scanning alert was reopened.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type_display_name" + ] }, { "action": "secret_scanning_alert.resolve", "description": "A secret scanning alert was resolved.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "resolution", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_access_security_header" + ] }, { "action": "secret_scanning_alert.revoke", "description": "A secret scanning alert was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "secret_scanning_alert.validate", "description": "A secret scanning alert was validated.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "previous_validity", + "current_validity", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning.disable", "description": "Secret scanning was disabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning.enable", "description": "Secret scanning was enabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.disable", "description": "Secret scanning was disabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.enable", "description": "Secret scanning was enabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_push_protection.bypass", "description": "Triggered when a user bypasses the push protection on a secret detected by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#bypassing-push-protection-for-a-secret", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "push_protection_bypass_reason", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_reviewer", + "request_reviewer_id" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.approve", "description": "A request to bypass secret scanning push protection was approved by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.deny", "description": "A request to bypass secret scanning push protection was denied by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header", + "request_reviewer_comment" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.request", "description": "A user requested to bypass secret scanning push protection.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "security_configuration.create", "description": "A security configuration was created", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "security_configuration_default.delete", "description": "A default security configuration setting for new repositories was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "security_configuration_default.update", "description": "A default security configuration setting for new repositories was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "security_configuration.delete", "description": "A security configuration was deleted", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "security_configuration_policy.update", "description": "A security configuration policy was updated", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enforcement", + "security_configuration_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "security_configuration.update", "description": "A security configuration was updated", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "security_key.register", "description": "A security key was registered for an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "created_at", + "user_id", + "action", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user_agent", + "request_access_security_header" + ] }, { "action": "security_key.remove", "description": "A security key was removed from an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "operation_type", + "_document_id", + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "action", + "created_at", + "user", + "request_access_security_header" + ] }, { "action": "sponsors.agreement_sign", "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.fiscal_host_change", "description": "The fiscal host for a GitHub Sponsors listing was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_disable", "description": "A GitHub Sponsors account was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { "action": "sponsors.sponsored_developer_redraft", "description": "A GitHub Sponsors account was returned to draft state from approved state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id", + "actor", + "actor_id", + "user_id" + ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsored_developer_update_newsletter_send", "description": "Triggered when you send an email update to your sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors", + "fields": [ + "request_id", + "actor", + "action", + "user_agent", + "operation_type", + "_document_id", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { "action": "sponsors.update_tier_repository", "description": "A GitHub Sponsors tier changed access for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.update_tier_welcome_message", "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.waitlist_join", "description": "You join the waitlist to join GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "request_id", + "actor", + "user_id", + "user_agent", + "actor_id", + "action", + "operation_type", + "created_at", + "user", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.withdraw_agreement_signature", "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ssh_certificate_authority.create", "description": "An SSH certificate authority for an organization or enterprise was created.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "@timestamp", + "_document_id", + "fingerprint", + "operation_type", + "openssh_public_key", + "org_id", + "actor", + "created_at", + "org", + "action", + "user_agent", + "actor_id", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_authority.destroy", "description": "An SSH certificate authority for an organization or enterprise was deleted.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "created_at", + "_document_id", + "fingerprint", + "operation_type", + "actor", + "org_id", + "openssh_public_key", + "org", + "action", + "user_agent", + "actor_id", + "@timestamp", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.disable", "description": "The requirement for members to use SSH certificates to access an organization resources was disabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "user", + "user_agent", + "operation_type", + "_document_id", + "request_id", + "org", + "org_id", + "created_at", + "actor", + "action", + "user_id", + "business", + "business_id", + "@timestamp", + "actor_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.enable", "description": "The requirement for members to use SSH certificates to access an organization resources was enabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "actor_id", + "user_id", + "org", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user", + "action", + "org_id", + "created_at", + "user_agent" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "staff.set_domain_token_expiration", "description": "The verification code expiry time for an organization or enterprise domain was set.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "business_id", + "token_expires_at", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "staff.unverify_domain", "description": "An organization or enterprise domain was unverified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "staff.verify_domain", "description": "An organization or enterprise domain was verified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "domain_name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "successor_invitation.accept", "description": "Triggered when you accept a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.cancel", "description": "Triggered when you cancel a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.create", "description": "Triggered when you create a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.decline", "description": "Triggered when you decline a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "successor_invitation.revoke", "description": "Triggered when you revoke a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "team.add_member", "description": "A member of an organization was added to a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team", + "fields": [ + "user_agent", + "request_id", + "org_id", + "user_id", + "team", + "user", + "@timestamp", + "actor_id", + "created_at", + "operation_type", + "_document_id", + "org", + "action", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team" }, { "action": "team.add_repository", "description": "A team was given access and permissions to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "team", + "action", + "operation_type", + "request_id", + "created_at", + "@timestamp", + "org", + "repo", + "actor_id", + "_document_id", + "repo_id", + "user_agent", + "org_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "team.change_parent_team", "description": "A child team was created or a child team's parent was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy", + "fields": [ + "org", + "@timestamp", + "created_at", + "_document_id", + "team", + "action", + "operation_type", + "actor", + "request_id", + "actor_id", + "user_agent", + "org_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy" }, { "action": "team.change_privacy", "description": "A team's privacy level was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/changing-team-visibility", + "fields": [ + "user_agent", + "request_id", + "org", + "action", + "team", + "created_at", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "actor", + "_document_id" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility" }, { "action": "team.create", "description": "A new team is created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "org_id", + "user_agent", + "team", + "org", + "actor", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "team.demote_maintainer", "description": "A user was demoted from a team maintainer to a team member.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member" }, { "action": "team.destroy", "description": "A team was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "team", + "org_id", + "actor_id", + "actor", + "action", + "@timestamp", + "user_agent", + "request_id", + "operation_type", + "_document_id", + "programmatic_access_type" + ] }, { "action": "team_discussions.clear", "description": "An organization owner cleared the setting to allow team discussions for an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "business_id", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "actor_id", + "user", + "business", + "action", + "request_id", + "created_at", + "user_id", + "_document_id" + ] }, { "action": "team_discussions.disable", "description": "Team discussions were disabled for an organization.", "docs_reference_links": "/organizations/organizing-members-into-teams/disabling-team-discussions-for-your-organization", + "fields": [ + "org_id", + "action", + "operation_type", + "request_id", + "actor", + "org", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "_document_id" + ], "docs_reference_titles": "Organizations and teams documentation" }, { "action": "team_discussions.enable", "description": "Team discussions were enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "@timestamp", + "action", + "_document_id", + "user_agent", + "user_id", + "business_id", + "request_id", + "user", + "business", + "operation_type", + "actor", + "created_at" + ] }, { "action": "team.promote_maintainer", "description": "A user was promoted from a team member to a team maintainer.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer" }, { "action": "team.remove_member", "description": "An organization member was removed from a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team", + "fields": [ + "request_id", + "operation_type", + "created_at", + "actor_id", + "org", + "org_id", + "team", + "user_id", + "actor", + "user", + "action", + "@timestamp", + "user_agent", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team" }, { "action": "team.remove_repository", "description": "A repository was removed from a team's control.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "org_id", + "repo", + "repo_id", + "action", + "_document_id", + "actor", + "@timestamp", + "actor_id", + "user_agent", + "created_at", + "team", + "org", + "operation_type", + "programmatic_access_type" + ] }, { "action": "team.rename", "description": "A team's name was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "user_agent", + "created_at", + "team", + "operation_type", + "actor_id", + "org", + "action", + "request_id", + "actor", + "org_id", + "@timestamp", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "team_sync_tenant.disabled", "description": "Team synchronization with a tenant was disabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "action", + "created_at", + "actor", + "request_id", + "org_id", + "actor_id", + "operation_type", + "_document_id", + "@timestamp", + "org", + "user_agent" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team_sync_tenant.enabled", "description": "Team synchronization with a tenant was enabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "org_id", + "business_id", + "actor", + "created_at", + "user_agent", + "@timestamp", + "operation_type", + "business", + "actor_id", + "org", + "request_id", + "action", + "_document_id" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team.update_repository_permission", "description": "A team's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "team", + "org_id", + "@timestamp", + "org", + "_document_id", + "old_permission", + "request_id", + "repo", + "action", + "repo_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "permission", + "new_repo_permission", + "new_repo_base_role", + "old_repo_permission", + "old_repo_base_role", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "trusted_device.register", "description": "A new trusted device was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "trusted_device.remove", "description": "A trusted device was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "two_factor_account_recovery.abort", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "action", + "request_id", + "user_id", + "@timestamp", + "_document_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "two_factor_account_recovery.complete", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "created_at", + "user_id", + "operation_type", + "user", + "_document_id", + "user_agent", + "action" + ] }, { "action": "two_factor_account_recovery.ignore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "created_at", + "user_id", + "operation_type", + "@timestamp", + "user", + "action" + ] }, { "action": "two_factor_account_recovery.staff_approve", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "action", + "_document_id" + ] }, { "action": "two_factor_account_recovery.staff_decline", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user", + "created_at", + "request_id", + "actor_id", + "_document_id" + ] }, { "action": "two_factor_account_recovery.start", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "user_id", + "action", + "_document_id", + "request_access_security_header" + ] }, { "action": "two_factor_account_recovery.two_factor_destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "user", + "_document_id", + "request_id" + ] }, { "action": "two_factor_authentication.add_factor", "description": "A secondary authentication factor was added to a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.disabled", "description": "Two-factor authentication was disabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/disabling-two-factor-authentication-for-your-personal-account", + "fields": [ + "actor", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "actor_id", + "created_at", + "operation_type", + "request_id", + "@timestamp", + "request_access_security_header" + ], "docs_reference_titles": "Disabling two-factor authentication for your personal account" }, { "action": "two_factor_authentication.enabled", "description": "Two-factor authentication was enabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "operation_type", + "user_agent", + "action", + "created_at", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Configuring two-factor authentication" }, { "action": "two_factor_authentication.password_reset_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user", + "user_id", + "action", + "@timestamp", + "request_id", + "_document_id", + "user_agent" + ] }, { "action": "two_factor_authentication.recovery_codes_regenerated", "description": "Two factor recovery codes were regenerated for a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "action", + "user", + "user_agent", + "actor_id", + "@timestamp", + "created_at" + ] }, { "action": "two_factor_authentication.remove_factor", "description": "A secondary authentication factor was removed from a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.sign_in_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "operation_type", + "user_id", + "user", + "user_agent", + "created_at", + "_document_id", + "action", + "@timestamp" + ] }, { "action": "two_factor_authentication.update_fallback", "description": "The two-factor authentication fallback for a user account was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "user", + "user_id", + "operation_type", + "user_agent", + "action", + "request_id", + "actor", + "actor_id" + ] }, { "action": "user.add_email", "description": "An email address was added to a user account.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account", + "fields": [ + "action", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "_document_id", + "actor_id", + "actor", + "email", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account" }, { "action": "user.async_delete", "description": "An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "created_at", + "user", + "@timestamp", + "_document_id", + "request_id", + "actor_id", + "operation_type", + "user_agent", + "action", + "request_access_security_header" + ] }, { "action": "user.audit_log_export", "description": "Audit log entries were exported.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "action", + "request_id", + "actor", + "@timestamp", + "_document_id", + "user_agent", + "user_id", + "operation_type", + "created_at" + ] }, { "action": "user.block_user", "description": "A user was blocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_id", + "_document_id", + "actor_id", + "@timestamp", + "user_agent", + "user", + "request_id", + "blocked_user", + "operation_type", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.change_password", "description": "A user changed their password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "actor", + "user", + "user_id", + "action", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.codespaces_trusted_repo_access_granted", "description": "Triggered when you allow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.codespaces_trusted_repo_access_revoked", "description": "Triggered when you disallow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.correct_password_from_unrecognized_device", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "user_agent", + "created_at", + "user", + "action", + "operation_type", + "request_id", + "user_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.correct_password_from_unrecognized_device_and_location", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "_document_id", + "@timestamp", + "created_at", + "user_agent", + "operation_type", + "request_id", + "user_id", + "action", + "request_access_security_header" + ] }, { "action": "user.correct_password_from_unrecognized_location", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "created_at", + "_document_id", + "user_agent", + "user_id", + "@timestamp", + "user", + "action", + "request_access_security_header" + ] }, { "action": "user.create", "description": "A new user account was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "email", + "user_id", + "operation_type", + "@timestamp", + "request_id", + "user", + "created_at", + "_document_id", + "user_agent", + "actor", + "actor_id", + "action", + "programmatic_access_type" + ] }, { "action": "user.create_integration_secret", "description": "A user secret for Codespaces was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.creation_rate_limit_exceeded", "description": "The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "user_agent", + "_document_id", + "operation_type", + "oauth_application_id", + "action", + "actor", + "actor_id", + "request_id", + "user_id", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.delete", "description": "A user account was destroyed by an asynchronous job.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "user_id", + "actor", + "actor_id", + "user", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.demote", "description": "A site administrator was demoted to an ordinary user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "oauth_application_id", + "action", + "user", + "created_at", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "_document_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.destroy", "description": "A user deleted his or her account, triggering user.async_delete.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "user", + "_document_id", + "created_at", + "user_agent", + "user_id", + "operation_type", + "actor_id", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.device_verification_failure", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user", + "user_agent", + "user_id", + "actor_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.device_verification_requested", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user_id", + "actor", + "operation_type", + "created_at", + "_document_id", + "@timestamp", + "user", + "actor_id", + "action", + "request_access_security_header" + ] }, { "action": "user.device_verification_success", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user", + "_document_id", + "action", + "operation_type", + "user_agent", + "created_at", + "request_id", + "actor", + "actor_id", + "user_id", + "request_access_security_header" + ] }, { "action": "user.disable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user_email.confirm_claim", "description": "An enterprise managed user claimed an email address.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "user_email.mark_as_unclaimed", "description": "N/A", "docs_reference_links": "An enterprise managed user unclaimed an email address.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "An, GitHub Help Documentation, managed, user, unclaimed, an, email, address." }, { "action": "user.enable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.failed_login", "description": "A user tried to sign in with an incorrect username, password, or two-factor authentication code.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "operation_type", + "request_id", + "created_at", + "_document_id", + "@timestamp", + "user", + "org_id", + "actor", + "actor_id", + "user_agent" + ] }, { "action": "user.flag_as_large_scale_contributor", "description": "A user account was flagged as a large scale contributor. Only contributions from public repositories the user owns will be shown in their contribution graph, in order to prevent timeouts.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "operation_type", + "@timestamp", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "user_agent", + "created_at" + ] }, { "action": "user.forgot_password", "description": "A user requested a password reset.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials", + "fields": [ + "action", + "_document_id", + "user_agent", + "request_id", + "user", + "operation_type", + "@timestamp", + "email", + "created_at", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials" }, { "action": "user.grant_github_developer", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "created_at", + "user_agent", + "@timestamp", + "_document_id", + "user", + "user_id", + "actor", + "operation_type", + "request_id" + ] }, { "action": "user.hide_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.login", "description": "A user signed in.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user_id", + "actor_id", + "@timestamp", + "user", + "action", + "operation_type", + "_document_id", + "request_id", + "created_at", + "actor", + "passkey_nickname", + "request_access_security_header" + ] }, { "action": "user.logout", "description": "A user signed out.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.minimize_comment", "description": "A comment made by a user was minimized.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "actor", + "actor_id", + "@timestamp", + "created_at", + "operation_type", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.new_device_used", "description": "A user signed in from a new device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "action", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ] }, { "action": "user.partial_two_factor_email_followup", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "_document_id", + "action", + "@timestamp", + "created_at", + "user", + "request_access_security_header" + ] }, { "action": "user.promote", "description": "An ordinary user account was promoted to a site administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "actor", + "actor_id", + "user", + "@timestamp", + "created_at", + "user_agent", + "oauth_application_id", + "request_id", + "operation_type", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.recreate", "description": "A user's account was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user", + "action", + "actor_id", + "@timestamp", + "_document_id", + "request_id", + "user_id", + "created_at", + "actor", + "operation_type" + ] }, { "action": "user.remove_email", "description": "An email address was removed from a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "@timestamp", + "_document_id", + "request_id", + "user", + "user_id", + "operation_type", + "actor", + "actor_id", + "created_at", + "email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.remove_integration_secret", "description": "A user secret for Codespaces was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.remove_large_scale_contributor_flag", "description": "A user account was no longer flagged as a large scale contributor.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.rename", "description": "A username was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "request_id", + "actor_id", + "old_login", + "created_at", + "_document_id", + "actor", + "user_id", + "@timestamp", + "operation_type", + "user_agent", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.report_abuse", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "user_agent", + "request_id", + "action", + "@timestamp", + "created_at", + "org_id", + "_document_id", + "actor", + "actor_id", + "user", + "operation_type" + ] }, { "action": "user.report_content", "description": "Triggered when you report an issue or pull request, or a comment on an issue, pull request, or commit.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam", + "fields": [ + "org_id", + "request_id", + "user", + "user_agent", + "action", + "created_at", + "actor", + "operation_type", + "actor_id", + "user_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam" }, { "action": "user.reset_password", "description": "A user reset their account password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "user", + "request_id", + "user_id", + "created_at", + "@timestamp", + "_document_id", + "actor", + "operation_type", + "request_access_security_header" + ] }, { "action": "user_session.country_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_id", + "action", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "user.show_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "@timestamp", + "_document_id", + "request_id", + "user_id", + "action", + "actor", + "user", + "operation_type", + "user_agent", + "actor_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.sign_in_from_unrecognized_device", "description": "A user signed in from an unrecognized device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "operation_type", + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.sign_in_from_unrecognized_device_and_location", "description": "A user signed in from an unrecognized device and location.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "request_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.sign_in_from_unrecognized_location", "description": "A user signed in from an unrecognized location.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "action", + "operation_type", + "user_agent", + "user", + "_document_id", + "actor", + "created_at", + "actor_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user_status.destroy", "description": "Triggered when you clear the status on your profile.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_id", + "actor", + "message", + "user", + "actor_id", + "created_at", + "request_id", + "limited_availability", + "action", + "emoji", + "operation_type", + "user_agent", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user_status.update", "description": "Triggered when you set or change the status on your profile.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status", + "fields": [ + "limited_availability", + "user", + "action", + "actor_id", + "message", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "emoji", + "org", + "actor", + "operation_type", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status" }, { "action": "user.suspend", "description": "A user account was suspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "operation_type", + "actor_id", + "user", + "user_agent", + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user_id", + "action", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.toggle_warn_private_email", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user", + "actor_id", + "@timestamp", + "operation_type", + "_document_id", + "user_agent", + "actor", + "action", + "user_id", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_failure", "description": "A 2FA challenge issued for a user account failed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "_document_id", + "user_agent", + "user", + "actor_id", + "actor", + "user_id", + "@timestamp", + "action", + "request_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_success", "description": "A 2FA challenge issued for a user account succeeded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_id", + "operation_type", + "actor_id", + "user", + "actor", + "user_agent", + "request_id", + "action", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_recover", "description": "A user used their 2FA recovery codes.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "user_agent", + "request_id", + "user", + "action", + "actor", + "actor_id", + "created_at", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_downloaded", "description": "A user downloaded 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "actor_id", + "user", + "request_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_printed", "description": "A user printed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "user_agent", + "request_id", + "user_id", + "created_at", + "_document_id", + "actor", + "actor_id", + "@timestamp" + ] }, { "action": "user.two_factor_recovery_codes_viewed", "description": "A user viewed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_agent", + "actor", + "user_id", + "action", + "created_at", + "user", + "operation_type", + "@timestamp", + "request_id", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_requested", "description": "A user was prompted for a two-factor authentication code.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication", + "fields": [ + "user", + "actor_id", + "action", + "user_agent", + "request_id", + "created_at", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "actor" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication" }, { "action": "user.unblock_user", "description": "A user was unblocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "_document_id", + "blocked_user", + "operation_type", + "actor", + "@timestamp", + "user_agent", + "user_id", + "user", + "created_at", + "request_access_security_header" + ] }, { "action": "user.unminimize_comment", "description": "A comment made by a user was unminimized.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user_agent", + "_document_id", + "actor_id", + "user", + "user_id", + "operation_type", + "request_id", + "actor", + "action", + "created_at" + ] }, { "action": "user.unsuspend", "description": "A user account was unsuspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "user", + "action", + "user_agent", + "actor", + "oauth_application_id", + "operation_type", + "actor_id", + "created_at", + "@timestamp", + "user_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.update_integration_secret", "description": "A user secret for Codespaces was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.update_new_repository_default_branch_setting", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.bypass_protection_rules", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "workflows.cancel_workflow_run", "description": "A workflow run was cancelled.", "docs_reference_links": "/actions/managing-workflow-runs/canceling-a-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "cancelled_at", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Canceling a workflow" }, { "action": "workflows.comment_workflow_job", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.completed_workflow_run", "description": "A workflow status changed to completed. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "completed_at", + "conclusion", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Viewing workflow run history" }, { "action": "workflows.created_workflow_run", "description": "A workflow run was create. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/learn-github-actions/understanding-github-actions#create-an-example-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Understanding GitHub Actions" }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { "action": "workflows.disable_workflow", "description": "A workflow was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.enable_workflow", "description": "A workflow was enabled, after previously being disabled by disable_workflow.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "workflows.pin_workflow", "description": "A workflow was pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.prepared_workflow_job", "description": "A workflow job was started. Includes the list of secrets that were provided to the job. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/using-workflows/events-that-trigger-workflows", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "business_id", + "business", + "workflow_run_id", + "job_name", + "runner_labels", + "is_hosted_runner", + "environment_name", + "secrets_passed", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp", + "runner_owner_type", + "job_workflow_ref", + "calling_workflow_refs", + "calling_workflow_shas", + "imposer_repo" + ], "docs_reference_titles": "Events that trigger workflows" }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.rerun_workflow_run", "description": "A workflow run was re-run.", "docs_reference_links": "/actions/managing-workflow-runs/re-running-workflows-and-jobs", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "rerun_type", + "check_run_id", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Re-running workflows and jobs" }, { "action": "workflows.unpin_workflow", "description": "A workflow was unpinned after previously being pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/ghes-3.16/organization.json b/src/audit-logs/data/ghes-3.16/organization.json index 8ca9805d25f9..f49f7132173b 100644 --- a/src/audit-logs/data/ghes-3.16/organization.json +++ b/src/audit-logs/data/ghes-3.16/organization.json @@ -2,3966 +2,16186 @@ { "action": "account.billing_date_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "operation_type", + "user_agent", + "_document_id", + "created_at", + "action", + "request_id", + "actor", + "actor_id", + "org_id" + ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { "action": "actions_cache.delete", "description": "A GitHub Actions cache was deleted using the REST API.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "user_id", + "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "advisory_credit.accept", "description": "Credit was accepted for a security advisory.", "docs_reference_links": "/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory" }, { "action": "advisory_credit.create", "description": "Someone was added to the credit section of a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "advisory_credit.decline", "description": "Credit was declined for a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "advisory_credit.destroy", "description": "Someone was removed from the credit section of a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "artifact.destroy", "description": "A workflow run artifact was manually deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_agent", + "actor_id", + "repo", + "repo_id", + "request_id", + "@timestamp", + "created_at", + "_document_id", + "operation_type", + "programmatic_access_type" + ] }, { "action": "auto_approve_personal_access_token_requests.disable", "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources. See also: personal_access_token.auto_approve_grant_requests_disabled", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization" }, { "action": "auto_approve_personal_access_token_requests.enable", "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval. See also: personal_access_token.auto_approve_grant_requests_enabled", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization" }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.lock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "@timestamp", + "actor_id", + "operation_type", + "_document_id", + "request_id", + "actor", + "user", + "user_id", + "user_agent", + "created_at", + "action" + ] }, { "action": "billing.unlock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "operation_type", + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.delete_logs", "description": "Logs in a check suite were deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "actor_id", + "operation_type", + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" + ] }, { "action": "code_scanning.alert_appeared_in_branch", "description": "Existing code scanning alerts appeared in a branch.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_became_fixed", "description": "Code scanning alerts were fixed.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_by_user", "description": "Code scanning alerts were manually dismissed.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "actor_id", + "request_id", + "actor", + "org_id", + "org", + "business_id", + "business", + "alert_numbers", + "dismissal_approver_id" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_created", "description": "Code scanning alerts were seen for the first time.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_reappeared", "description": "Code scanning alerts that were previously fixed reappeared.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_reopened_by_user", "description": "Code scanning alerts that were previously dismissed were reopened.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "actor_id", + "request_id", + "actor", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "codespaces.allow_permissions", "description": "A codespace using custom permissions from its devcontainer.json file was launched.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "origin_repository", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.attempted_to_create_from_prebuild", "description": "An attempt to create a codespace from a prebuild was made.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "owner", + "pull_request_id", + "repository", + "repository_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "codespaces.business_enablement_updated", "description": "Enterprise setting for Codespaces ownership was updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enablement", + "organization_names", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization" }, { "action": "codespaces.connect", "description": "Credentials for a codespace were refreshed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { "action": "codespaces.export_environment", "description": "A codespace was exported to a branch on GitHub.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "codespaces.policy_group_created", "description": "Policies were applied to codespaces in an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.policy_group_deleted", "description": "Policies were removed from codespaces in an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "codespaces.policy_group_updated", "description": "Policies were updated for codespaces in an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "codespaces.restore", "description": "A codespace was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.start_environment", "description": "A codespace was started.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "org", + "owner", + "pull_request_id", + "machine_type", + "user_id", + "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "codespaces.suspend_environment", "description": "A codespace was stopped.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "commit_comment.destroy", "description": "A commit comment was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "repo", + "org", + "org_id", + "created_at", + "@timestamp", + "operation_type", + "repo_id", + "actor_id", + "request_id", + "_document_id", + "user_agent", + "action", + "programmatic_access_type" + ] }, { "action": "commit_comment.update", "description": "A commit comment was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "repo_id", + "actor", + "org", + "request_id", + "action", + "@timestamp", + "repo", + "org_id", + "actor_id", + "created_at", + "user_agent", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "copilot.access_revoked", "description": "Copilot access was revoked for the organization or enterprise due to its Copilot subscription ending, an issue with billing the entity, the entity being marked spammy, or the entity being suspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "reason", + "plan", + "org_id", + "owner", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "copilot.cfb_org_settings_changed", "description": "Copilot feature settings were changed at the organization level.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_added", "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { "action": "copilot.cfb_seat_assignment_refreshed", "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_reused", "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_assignment_unassigned", "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "seat_assignment", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled_by_staff", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.cfb_seat_management_changed", "description": "The seat management setting was changed at the organization level to either enable or disable Copilot access for all members of the organization, or to enable Copilot access for selected members or teams.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_value", + "new_value", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "copilot.content_exclusion_changed", "description": "The excluded paths for GitHub Copilot were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "excluded_paths", + "owner_type", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.knowledge_base_created", "description": "A knowledge base was created in the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.knowledge_base_deleted", "description": "A knowledge base was deleted from the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.knowledge_base_updated", "description": "A knowledge base was updated in the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.plan_changed", "description": "The plan for GitHub Copilot was updated.", "docs_reference_links": "/billing/managing-billing-for-github-copilot/about-billing-for-github-copilot", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_plan", + "plan", + "business_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "About billing for GitHub Copilot" }, { "action": "copilot.plan_downgrade_scheduled", "description": "The plan for GitHub Copilot was scheduled to be downgraded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "owner", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "current_plan", + "scheduled_plan" + ] }, { "action": "custom_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_property_definition.create", "description": "A new custom property definition was created.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.destroy", "description": "A custom property definition was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id", + "allowed_values" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.update", "description": "A custom property definition was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "value_type", + "required", + "default_value", + "old_allowed_values", + "allowed_values", + "definition_id", + "old_required", + "old_default_value", + "old_value_type", + "old_values_editable_by", + "values_editable_by", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.create", "description": "A repository's custom property value was manually set for the first time.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "definition_id", + "property_name", + "value", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.destroy", "description": "A repository's custom property value was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.update", "description": "A repository's custom property value was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_repository_access.repositories_updated", "description": "The repositories that Dependabot can access were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates.enable", "description": "Dependabot security updates were enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates_new_repos.enable", "description": "Dependabot security updates were enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph.enable", "description": "The dependency graph was enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph_new_repos.enable", "description": "The dependency graph was enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "discussion_comment.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "repo_id", + "request_id", + "action", + "actor", + "org_id", + "_document_id", + "actor_id", + "operation_type", + "@timestamp", + "created_at", + "user_agent", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "discussion_comment.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "@timestamp", + "actor", + "user_agent", + "request_id", + "org", + "_document_id", + "actor_id", + "operation_type", + "created_at", + "repo", + "org_id", + "action", + "request_access_security_header" + ] }, { "action": "discussion.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "user_agent", + "actor_id", + "org_id", + "actor", + "org", + "action", + "operation_type", + "@timestamp", + "request_id", + "title", + "_document_id", + "created_at", + "repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "discussion_post.destroy", "description": "Triggered when a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "request_id", + "team", + "created_at", + "user_id", + "@timestamp", + "number", + "org", + "title", + "actor", + "actor_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.destroy", "description": "Triggered when a reply to a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "actor_id", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user_id", + "actor", + "number", + "user", + "created_at", + "request_id", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.update", "description": "Triggered when a reply to a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "action", + "_document_id", + "request_id", + "org", + "@timestamp", + "actor_id", + "operation_type", + "user", + "user_id", + "org_id", + "user_agent", + "actor", + "number", + "team", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "discussion_post.update", "description": "Triggered when a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "created_at", + "_document_id", + "title", + "user", + "user_agent", + "org", + "operation_type", + "actor_id", + "@timestamp", + "actor", + "team", + "action", + "org_id", + "request_id", + "user_id", + "number" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "enterprise_announcement.create", "description": "A global announcement banner was created for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global-announcement-banner", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.destroy", "description": "A global announcement banner was removed from the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.update", "description": "A global announcement banner was updated for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "old_message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_installation.create", "description": "The GitHub App associated with a GitHub Connect connection was created.", "docs_reference_links": "/admin/configuration/configuring-github-connect/managing-github-connect", + "fields": [ + "created_at", + "operation_type", + "@timestamp", + "_document_id", + "org_id", + "action", + "request_id", + "org", + "actor_id", + "user_agent", + "actor" + ], "docs_reference_titles": "Enabling GitHub Connect for GitHub.com" }, { "action": "enterprise_installation.destroy", "description": "The GitHub App associated with a GitHub Connect connection was deleted.", "docs_reference_links": "/admin/configuration/configuring-github-connect/managing-github-connect", + "fields": [ + "created_at", + "_document_id", + "action", + "@timestamp", + "actor_id", + "actor", + "user_agent", + "org", + "operation_type", + "request_id", + "org_id" + ], "docs_reference_titles": "Enabling GitHub Connect for GitHub.com" }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.delete", "description": "An environment was deleted.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_secret", "description": "A secret was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "git.clone", "description": "A repository was cloned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.fetch", "description": "Changes were fetched from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.push", "description": "Changes were pushed to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "github_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "github_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "github_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "hook.active_changed", "description": "A hook's active status was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "hook.config_changed", "description": "A hook's configuration was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "name", + "org", + "user_agent", + "request_id", + "hook_id", + "repo", + "repo_id", + "created_at", + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { "action": "hook.destroy", "description": "A hook was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", + "operation_type", + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.events_changed", "description": "A hook's configured events were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "operation_type", + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "integration.create", "description": "A GitHub App was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "@timestamp", + "actor", + "user_agent", + "actor_id", + "request_id", + "name", + "user_id", + "_document_id", + "integration", + "created_at", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration.destroy", "description": "A GitHub App was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "actor_id", + "request_id", + "@timestamp", + "name", + "integration", + "user", + "_document_id", + "action", + "operation_type", + "created_at", + "user_agent" + ] }, { "action": "integration.generate_client_secret", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation_request.close", "description": "A request to install a GitHub App was either approved or denied by an owner, or canceled by the member who opened the request.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "url", + "actor", + "actor_id", + "created_at", + "request_id", + "operation_type", + "@timestamp", + "integration", + "action", + "user_agent", + "reason", + "_document_id", + "org", + "org_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation_request.create", "description": "A member requested that an owner install a GitHub App.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "@timestamp", + "actor_id", + "org", + "_document_id", + "requester", + "action", + "user_agent", + "created_at", + "url", + "org_id", + "request_id", + "operation_type", + "actor", + "integration", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { "action": "integration.remove_client_secret", "description": "A client secret for a GitHub App was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "integration.revoke_all_tokens", "description": "All user tokens for a GitHub App were requested to be revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.revoke_tokens", "description": "Token(s) for a GitHub App were revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" }, { "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "ip_allow_list.disable", "description": "An IP allow list was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "actor", + "request_id", + "org", + "user_agent", + "_document_id", + "user_id", + "actor_id", + "created_at", + "org_id", + "action", + "@timestamp", + "user" + ] }, { "action": "ip_allow_list.disable_for_installed_apps", "description": "An IP allow list was disabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list.enable", "description": "An IP allow list was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "business", + "user_id", + "request_id", + "actor", + "user", + "business_id", + "_document_id", + "action", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "org", + "created_at" + ] }, { "action": "ip_allow_list.enable_for_installed_apps", "description": "An IP allow list was enabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list_entry.create", "description": "An IP address was added to an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "active", + "org", + "ip_allow_list_entry", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "actor_id", + "business_id", + "org_id", + "business", + "actor", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.destroy", "description": "An IP address was deleted from an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "ip_allow_list_entry", + "org", + "operation_type", + "created_at", + "active", + "action", + "@timestamp", + "business", + "business_id", + "user_agent", + "org_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.update", "description": "An IP address or its description was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "actor", + "org", + "action", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "ip_allow_list_entry", + "active", + "org_id", + "@timestamp" + ] }, { "action": "issue_comment.destroy", "description": "A comment on an issue was deleted from the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "org", + "repo", + "actor_id", + "@timestamp", + "created_at", + "_document_id", + "action", + "operation_type", + "user_agent", + "repo_id", + "actor", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "issue_comment.update", "description": "A comment on an issue (other than the initial one) changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "action", + "repo_id", + "org_id", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "_document_id", + "actor_id", + "actor", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "issue.destroy", "description": "An issue was deleted from the repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/deleting-an-issue", + "fields": [ + "user", + "actor_id", + "created_at", + "title", + "@timestamp", + "_document_id", + "request_id", + "actor", + "user_id", + "action", + "operation_type", + "user_agent", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting an issue" }, { "action": "issue.pinned", "description": "An issue was pinned to a repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository", + "fields": [ + "_document_id", + "user_agent", + "actor_id", + "created_at", + "action", + "actor", + "operation_type", + "owner_type", + "@timestamp", + "repo_id", + "request_id", + "number", + "repo", + "event", + "user", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "Pinning an issue to your repository" }, { "action": "issue.transfer", "description": "An issue was transferred to another repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/transferring-an-issue-to-another-repository", + "fields": [ + "user", + "user_id", + "@timestamp", + "user_agent", + "owner_type", + "actor_id", + "number", + "repo", + "operation_type", + "_document_id", + "repo_id", + "action", + "request_id", + "created_at", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "Transferring an issue to another repository" }, { "action": "issue.unpinned", "description": "An issue was unpinned from a repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository", + "fields": [ + "event", + "user_agent", + "actor_id", + "repo_id", + "actor", + "action", + "created_at", + "request_id", + "repo", + "operation_type", + "_document_id", + "number", + "owner_type", + "@timestamp", + "user", + "user_id", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Pinning an issue to your repository" }, { "action": "issues.deletes_disabled", "description": "The ability for enterprise members to delete issues was disabled Members cannot delete issues in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "user_agent", + "action", + "@timestamp", + "operation_type", + "request_id", + "actor_id", + "user_id", + "created_at", + "_document_id", + "actor", + "user", + "org", + "org_id" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "issues.deletes_enabled", "description": "The ability for enterprise members to delete issues was enabled Members can delete issues in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "operation_type" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "issues.deletes_policy_cleared", "description": "An enterprise owner cleared the policy setting for allowing members to delete issues in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "user", + "request_id", + "actor", + "business_id", + "action", + "operation_type", + "user_agent", + "created_at", + "@timestamp", + "_document_id", + "business", + "user_id", + "actor_id" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "marketplace_agreement_signature.create", "description": "The GitHub Marketplace Developer Agreement was signed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "actor_id", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "created_at", + "action", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "marketplace_listing.approve", "description": "A listing was approved for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "secondary_category", + "actor", + "primary_category", + "user", + "@timestamp", + "_document_id", + "user_id", + "user_agent", + "operation_type", + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" + ] }, { "action": "marketplace_listing.change_category", "description": "A category for a listing for an app in GitHub Marketplace was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", + "@timestamp", + "integration", + "org_id", + "action", + "org", + "secondary_category", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ] }, { "action": "marketplace_listing.create", "description": "A listing for an app in GitHub Marketplace was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", + "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", + "actor", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "marketplace_listing.delist", "description": "A listing was removed from GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "created_at", + "secondary_category", + "operation_type", + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" + ] }, { "action": "marketplace_listing.redraft", "description": "A listing was sent back to draft state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", + "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", + "actor", + "created_at", + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" + ] }, { "action": "marketplace_listing.reject", "description": "A listing was not accepted for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "members_can_create_pages.disable", "description": "The ability for members to publish GitHub Pages sites was disabled.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_pages.enable", "description": "The ability for members to publish GitHub Pages sites was enabled.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_private_pages.disable", "description": "The ability for members to publish private GitHub Pages was disabled Members cannot publish private GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_private_pages.enable", "description": "The ability for members to publish private GitHub Pages was enabled Members can publish private GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_public_pages.disable", "description": "The ability for members to publish public GitHub Pages was disabled Members cannot publish public GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_public_pages.enable", "description": "The ability for members to publish public GitHub Pages was enabled Members can publish public GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_delete_repos.clear", "description": "An enterprise owner cleared the policy setting for deleting or transferring repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "_document_id", + "request_id", + "user", + "user_id", + "business", + "operation_type", + "user_agent", + "actor", + "actor_id", + "business_id", + "@timestamp", + "created_at", + "action" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_delete_repos.disable", "description": "The ability for enterprise members to delete repositories was disabled Members cannot delete or transfer repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "request_id", + "org", + "_document_id", + "actor_id", + "user", + "user_id", + "user_agent", + "actor", + "operation_type", + "org_id", + "action", + "@timestamp", + "created_at" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_delete_repos.enable", "description": "The ability for enterprise members to delete repositories was enabled Members can delete or transfer repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "action", + "org_id", + "user_id", + "business", + "actor_id", + "@timestamp", + "_document_id", + "request_id", + "user", + "business_id", + "created_at", + "actor", + "org", + "operation_type", + "user_agent" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_view_dependency_insights.clear", "description": "An enterprise owner cleared the policy setting for viewing dependency insights in any organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "created_at", + "request_id", + "actor", + "action", + "operation_type" + ] }, { "action": "members_can_view_dependency_insights.disable", "description": "The ability for enterprise members to view dependency insights was disabled. Members cannot view dependency insights in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-dependency-insights-in-your-enterprise", + "fields": [ + "business", + "created_at", + "user_id", + "business_id", + "user", + "org", + "operation_type", + "request_id", + "actor", + "_document_id", + "action", + "user_agent", + "actor_id", + "org_id", + "@timestamp" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "members_can_view_dependency_insights.enable", "description": "The ability for enterprise members to view dependency insights was enabled. Members can view dependency insights in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-dependency-insights-in-your-enterprise", + "fields": [ + "request_id", + "created_at", + "_document_id", + "user_agent", + "user", + "user_id", + "business", + "business_id", + "operation_type", + "@timestamp", + "action", + "actor", + "actor_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "merge_queue.pull_request_dequeued", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "merge_queue.pull_request_queue_jump", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.queue_cleared", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.update_settings", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "metered_billing_configuration.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "_document_id", + "user_id", + "action", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "metered_billing_configuration.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "metered_billing_configuration.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "org", + "created_at", + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" + ] }, { "action": "migration.create", "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org_id", + "_document_id", + "org", + "repo_id", + "action", + "actor", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "migration.destroy_file", "description": "A migration file for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "org_id", + "action", + "operation_type", + "created_at", + "repo", + "_document_id", + "repo_id", + "request_access_security_header" + ] }, { "action": "migration.download", "description": "A migration file for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance was downloaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "org_id", + "request_id", + "oauth_application_id", + "repo_id", + "operation_type", + "@timestamp", + "user_agent", + "created_at", + "org", + "action", + "_document_id", + "repo", + "actor", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "network_configuration.create", "description": "A network configuration for a hosted compute service was created.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "selected_service", + "network_settings_ids", + "previous_settings_ids", + "network_configuration_id" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "network_configuration.delete", "description": "A network configuration for a hosted compute service was deleted.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "network_configuration_id" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "network_configuration.update", "description": "A network configuration for a hosted compute service was updated.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "selected_service", + "network_settings_ids", + "previous_settings_ids" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.generate_client_secret", "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "org.accept_business_invitation", "description": "An invitation sent to an organization to join an enterprise was accepted.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.add_billing_manager", "description": "A billing manager was added to an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization", + "fields": [ + "operation_type", + "_document_id", + "user_agent", + "org", + "user_id", + "action", + "created_at", + "org_id", + "user", + "actor", + "actor_id", + "@timestamp", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization" }, { "action": "org.add_member", "description": "A user joined an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "permission", + "_document_id", + "org", + "operation_type", + "request_id", + "actor", + "user", + "@timestamp", + "created_at", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "org.add_outside_collaborator", "description": "An outside collaborator was added to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "inviter", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.add_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.advanced_security_disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_disabled_on_all_repos", "description": "GitHub Advanced Security was disabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_on_all_repos", "description": "GitHub Advanced Security was enabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_policy_selected_member_disabled", "description": "An enterprise owner prevented GitHub Advanced Security features from being enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_enabled", "description": "An enterprise owner allowed GitHub Advanced Security features to be enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.allow_third_party_access_requests_from_outside_collaborators_disabled", "description": "Third-party application access for outside collaborators was disabled for the organization.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests" }, { "action": "org.allow_third_party_access_requests_from_outside_collaborators_enabled", "description": "Third-party application access for outside collaborators was enabled for the organization.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests" }, { "action": "org.archive", "description": "The organization was archived.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.audit_log_export", "description": "An export of the organization audit log was created. If the export included a query, the log will list the query used and the number of audit log entries matching that query.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log", + "fields": [ + "org_id", + "operation_type", + "@timestamp", + "request_id", + "_document_id", + "actor", + "org", + "action", + "created_at", + "user_agent", + "actor_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log" }, { "action": "org.audit_log_git_event_export", "description": "An export of the organization's Git events was created.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "start", + "end", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization" }, { "action": "org.billing_signup_error", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_agent", + "action", + "@timestamp", + "actor_id", + "org_id", + "_document_id", + "actor", + "org", + "operation_type" + ] }, { "action": "org.block_user", "description": "An organization owner blocked a user from accessing the organization's repositories.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization", + "fields": [ + "actor", + "user_agent", + "org_id", + "created_at", + "_document_id", + "blocked_user", + "action", + "operation_type", + "actor_id", + "org", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization" }, { "action": "org.cancel_business_invitation", "description": "An invitation for an organization to join an enterprise was revoked", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "initiated_from" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.cancel_invitation", "description": "An invitation sent to a user to join an organization was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "org_id", + "request_id", + "email", + "@timestamp", + "actor", + "action", + "operation_type", + "user_agent", + "org", + "invitation_id", + "_document_id", + "created_at", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.clear_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "org.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_third_party_tools_disabled", "description": "Autofix for third party tools for code scanning alerts was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_third_party_tools_enabled", "description": "Autofix for third party tools for code scanning alerts was enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.codeql_disabled", "description": "Code scanning using the default setup was disabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codeql_enabled", "description": "Code scanning using the default setup was enabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codespaces_access_updated", "description": "Access to use Codespaces on internal and private repositories was updated for an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/enabling-or-disabling-github-codespaces-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enablement", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/enabling-or-disabling-github-codespaces-for-your-organization" }, { "action": "org.codespaces_ownership_updated", "description": "Ownership and payment for codespaces was updated for an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner_type", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization" }, { "action": "org.codespaces_team_access_allowed", "description": "A team has been allowed to use Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.codespaces_team_access_revoked", "description": "A team has been prevented from using Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.codespaces_trusted_repo_access_granted", "description": "GitHub Codespaces was granted trusted repository access to all other repositories in an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "org.codespaces_trusted_repo_access_revoked", "description": "GitHub Codespaces trusted repository access to all other repositories in an organization was revoked.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "org.codespaces_user_access_allowed", "description": "A user has been allowed to use Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.codespaces_user_access_revoked", "description": "A user has been prevented from using Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.config.disable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "request_id", + "org", + "action", + "operation_type", + "_document_id", + "actor", + "actor_id", + "@timestamp", + "user_agent", + "org_id", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "operation_type", + "@timestamp", + "created_at", + "user_agent", + "action", + "actor_id", + "org", + "_document_id", + "actor", + "org_id", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "_document_id", + "operation_type", + "actor_id", + "org_id", + "action", + "created_at", + "actor", + "org", + "@timestamp", + "user_agent", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "actor", + "org", + "org_id", + "request_id", + "operation_type", + "action", + "user_agent" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor", + "actor_id", + "org_id", + "action", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "org", + "created_at", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor_id", + "request_id", + "action", + "created_at", + "user_agent", + "actor", + "_document_id", + "org_id", + "operation_type", + "org", + "@timestamp" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.confirm_business_invitation", "description": "An invitation for an organization to join an enterprise was confirmed.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.connect_usage_metrics_export", "description": "Server statistics were exported for the organization.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/analyzing-how-your-team-works-with-server-statistics/exporting-server-statistics", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Exporting Server Statistics" }, { "action": "org.create", "description": "An organization was created.", "docs_reference_links": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch", + "fields": [ + "request_id", + "org", + "actor_id", + "actor", + "action", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "org_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch" }, { "action": "org.create_actions_secret", "description": "A GitHub Actions secret was created for an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.create_actions_variable", "description": "A GitHub Actions variable was created for an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "org.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org_credential_authorization.deauthorize", "description": "A member removed the SSO (SAML or OIDC) authorization from a credential that had access to your organization.", "docs_reference_links": "/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor_id", + "org_id", + "business", + "action", + "@timestamp", + "org", + "_document_id", + "business_id", + "actor", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "oauth_credential_type", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Authorizing a personal access token for use with single sign-on" }, { "action": "org_credential_authorization.grant", "description": "A member authorized credentials for use with SAML or OIDC single sign-on.", "docs_reference_links": "/authentication/authenticating-with-saml-single-sign-on", + "fields": [ + "user_agent", + "actor", + "@timestamp", + "created_at", + "org_id", + "business_id", + "operation_type", + "request_id", + "_document_id", + "action", + "actor_id", + "business", + "org", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "oauth_credential_type", + "request_access_security_header", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Authenticating with single sign-on" }, { "action": "org_credential_authorization.revoke", "description": "An owner revoked authorized credentials.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization", + "fields": [ + "actor", + "org", + "@timestamp", + "owner", + "oauth_application_id", + "org_id", + "operation_type", + "action", + "business", + "request_id", + "created_at", + "business_id", + "actor_id", + "_document_id", + "user_agent", + "oauth_credential_type", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.delete", "description": "An organization was deleted by a user or staff.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "@timestamp", + "_document_id", + "created_at", + "actor", + "org_id", + "org", + "action", + "actor_id", + "operation_type", + "request_id", + "request_access_security_header" + ] }, { "action": "org.disable_member_team_creation_permission", "description": "Team creation was limited to owners.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "actor", + "@timestamp", + "_document_id", + "user", + "user_id", + "action", + "created_at", + "actor_id", + "user_agent", + "org", + "org_id", + "operation_type", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.disable_oauth_app_restrictions", "description": "Third-party application access restrictions for an organization were disabled.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "fields": [ + "actor_id", + "org_id", + "action", + "_document_id", + "request_id", + "@timestamp", + "actor", + "org", + "operation_type", + "user_agent", + "created_at" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization" }, { "action": "org.disable_reader_discussion_creation_permission", "description": "An organization owner limited discussion creation to users with at least triage permission in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.disable_saml", "description": "SAML single sign-on was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "sso_url", + "issuer", + "action", + "@timestamp", + "_document_id", + "created_at", + "org", + "operation_type" + ] }, { "action": "org.disable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the organization was disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" }, { "action": "org.disable_two_factor_requirement", "description": "A two-factor authentication requirement was disabled for the organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "org_id", + "action", + "actor", + "actor_id", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "user_agent" + ] }, { "action": "org.display_commenter_full_name_disabled", "description": "An organization owner disabled the display of a commenter's full name in an organization. Members cannot see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "user", + "action", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "user_agent", + "org", + "actor_id", + "org_id", + "request_id" + ] }, { "action": "org.display_commenter_full_name_enabled", "description": "An organization owner enabled the display of a commenter's full name in an organization. Members can see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_agent", + "request_id", + "actor", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "user", + "action", + "actor_id", + "org_id" + ] }, { "action": "org.enable_member_team_creation_permission", "description": "Team creation by members was allowed.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "org_id", + "user", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "user_agent", + "actor_id", + "org", + "request_id", + "action", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.enable_oauth_app_restrictions", "description": "Third-party application access restrictions for an organization were enabled.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization", + "fields": [ + "actor_id", + "operation_type", + "org", + "created_at", + "_document_id", + "actor", + "org_id", + "action", + "user_agent", + "request_id", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization" }, { "action": "org.enable_reader_discussion_creation_permission", "description": "An organization owner allowed users with read access to create discussions in an organization", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.enable_saml", "description": "SAML single sign-on was enabled for the organization.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization", + "fields": [ + "actor_id", + "action", + "operation_type", + "actor", + "sso_url", + "org", + "created_at", + "@timestamp", + "issuer", + "org_id", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Enabling and testing SAML single sign-on for your organization" }, { "action": "org.enable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the organization was enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" }, { "action": "org.enable_two_factor_requirement", "description": "Two-factor authentication is now required for the organization.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "actor_id", + "action", + "_document_id", + "org", + "@timestamp", + "actor", + "user_agent", + "org_id", + "operation_type", + "created_at", + "request_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.integration_manager_added", "description": "An organization owner granted a member access to manage all GitHub Apps owned by an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "org_id", + "manager", + "@timestamp", + "request_id", + "actor", + "operation_type", + "_document_id", + "actor_id", + "org", + "action", + "created_at" + ] }, { "action": "org.integration_manager_removed", "description": "An organization owner removed access to manage all GitHub Apps owned by an organization from an organization member.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "@timestamp", + "org", + "user_agent", + "request_id", + "action", + "actor", + "actor_id", + "manager", + "operation_type", + "created_at", + "_document_id" + ] }, { "action": "org.invite_member", "description": "A new user was invited to join an organization.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization", + "fields": [ + "org", + "user_id", + "invitation_id", + "org_id", + "user", + "action", + "operation_type", + "_document_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "actor_id", + "request_id", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization" }, { "action": "org.invite_to_business", "description": "An organization was invited to join an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.members_can_update_protected_branches.disable", "description": "The ability for enterprise members to update protected branches was disabled. Only enterprise owners can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "org.members_can_update_protected_branches.enable", "description": "The ability for enterprise members to update protected branches was enabled. Members of an organization can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "org_id", + "user_agent", + "actor_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "request_id", + "_document_id", + "actor", + "user", + "action" + ] }, { "action": "org.oauth_app_access_approved", "description": "Access to an organization was granted for an OAuth App.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization", + "fields": [ + "url", + "actor", + "user_agent", + "request_id", + "actor_id", + "operation_type", + "org_id", + "_document_id", + "org", + "action", + "created_at", + "@timestamp", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization" }, { "action": "org.oauth_app_access_blocked", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "url", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.oauth_app_access_denied", "description": "Access was disabled for an OAuth App that was previously approved.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization", + "fields": [ + "request_id", + "url", + "created_at", + "org_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "org", + "operation_type", + "actor", + "actor_id", + "oauth_application_name" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization" }, { "action": "org.oauth_app_access_requested", "description": "An organization member requested that an owner grant an OAuth App access to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "_document_id", + "request_id", + "url", + "org_id", + "action", + "@timestamp", + "org", + "request_access_security_header", + "oauth_application_name" + ] }, { "action": "org.oauth_app_access_unblocked", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "url", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.rate_limited_invites", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "org_id", + "action", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org" + ] }, { "action": "org.recovery_code_failed", "description": "An organization owner failed to sign into a organization with an external identity provider (IdP) using a recovery code.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "reason", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing your organization if your identity provider is unavailable" }, { "action": "org.recovery_code_used", "description": "An organization owner successfully signed into an organization with an external identity provider (IdP) using a recovery code.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Accessing your organization if your identity provider is unavailable" }, { "action": "org.recovery_codes_downloaded", "description": "An organization owner downloaded the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_generated", "description": "An organization owner generated the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_printed", "description": "An organization owner printed the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_viewed", "description": "An organization owner viewed the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization", + "fields": [ + "actor", + "operation_type", + "@timestamp", + "_document_id", + "request_id", + "org", + "org_id", + "action", + "created_at", + "user_agent", + "actor_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "org.remove_actions_secret", "description": "A GitHub Actions secret was removed from an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.remove_actions_variable", "description": "A GitHub Actions variable was removed from an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "org.remove_billing_manager", "description": "A billing manager was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "user_id", + "user_agent", + "org_id", + "user", + "action", + "_document_id", + "operation_type", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "created_at" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.remove_integration_secret", "description": "A Codespaces or Dependabot secret was removed from an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.remove_member", "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "actor_id", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", + "created_at", + "user", + "operation_type", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.remove_outside_collaborator", "description": "An outside collaborator was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user", + "org_id", + "created_at", + "request_id", + "@timestamp", + "action", + "operation_type", + "user_agent", + "_document_id", + "actor", + "actor_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "org.remove_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization", + "fields": [ + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor_id", + "org", + "created_at", + "actor", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "org.rename", "description": "An organization was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "@timestamp", + "org", + "action", + "actor", + "old_login", + "org_id", + "request_id", + "actor_id", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "org.required_workflow_create", "description": "Triggered when a required workflow is created.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.required_workflow_delete", "description": "Triggered when a required workflow is deleted.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.required_workflow_update", "description": "Triggered when a required workflow is updated.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.restore_member", "description": "An organization member was restored.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization", + "fields": [ + "user", + "actor", + "user_id", + "_document_id", + "action", + "created_at", + "org_id", + "operation_type", + "request_id", + "@timestamp", + "user_agent", + "org", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization" }, { "action": "org.revoke_external_identity", "description": "A member's linked identity was revoked.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity", + "fields": [ + "actor", + "org", + "org_id", + "user", + "operation_type", + "user_id", + "@timestamp", + "action", + "actor_id", + "user_agent", + "_document_id", + "request_id", + "created_at" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.revoke_sso_session", "description": "A member's SAML session was revoked.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity", + "fields": [ + "actor_id", + "created_at", + "user", + "action", + "operation_type", + "@timestamp", + "org", + "org_id", + "user_agent", + "request_id", + "actor", + "user_id", + "_document_id" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.runner_group_created", "description": "A self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_removed", "description": "A self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_renamed", "description": "A self-hosted runner group was renamed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runner_removed", "description": "The REST API was used to remove a self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "org.runner_group_runners_added", "description": "A self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runners_updated", "description": "A runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "org.runner_group_updated", "description": "The configuration of a self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_visiblity_updated", "description": "The visibility of a self-hosted runner group was updated via the REST API.", "docs_reference_links": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "visibility", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_generic_secrets.disabled", "description": "Generic secrets have been disabled at the organization level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "org_secret_scanning_generic_secrets.enabled", "description": "Generic secrets have been enabled at the organization level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "org_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_disabled", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_enabled", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_updated", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_disable", "description": "Push protection for secret scanning was disabled.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_enable", "description": "Push protection for secret scanning was enabled.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_disable", "description": "Push protection for secret scanning was disabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_enable", "description": "Push protection for secret scanning was enabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "org.security_center_export_code_scanning_metrics", "description": "A CSV export was requested on the CodeQL pull request alerts page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "org.security_center_export_coverage", "description": "A CSV export was requested on the Coverage page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_overview_dashboard", "description": "A CSV export was requested on the Overview Dashboard page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_risk", "description": "A CSV export was requested on the Risk page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "org_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { "action": "org.set_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "org_id", + "operation_type", + "actor", + "actor_id", + "@timestamp", + "request_id", + "created_at", + "org", + "action" + ] }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "org.sso_response", "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "user_agent", + "actor", + "actor_id", + "org_id", + "@timestamp", + "org", + "issuer", + "business", + "operation_type", + "created_at", + "request_id", + "business_id", + "_document_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.transfer", "description": "An organization was transferred between enterprise accounts.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "from_business", + "to_business", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.transfer_outgoing", "description": "An organization was transferred between enterprise accounts.", "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "business", + "business_id", + "from_business", + "to_business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.unarchive", "description": "The organization was unarchived.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.unblock_user", "description": "A user was unblocked from an organization.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization", + "fields": [ + "oauth_application_id", + "_document_id", + "blocked_user", + "action", + "operation_type", + "@timestamp", + "request_id", + "created_at", + "actor", + "actor_id", + "org", + "org_id", + "user_agent" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization" }, { "action": "org.update_actions_secret", "description": "A GitHub Actions secret was updated for an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "created_at", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.update_actions_settings", "description": "An organization owner or site administrator updated GitHub Actions policy settings for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "updated_allowed_types", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization" }, { "action": "org.update_actions_variable", "description": "A GitHub Actions variable was updated for an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "org.update_default_repository_permission", "description": "The default repository permission level for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "operation_type", + "created_at", + "org", + "org_id", + "request_id", + "@timestamp", + "user_agent", + "permission", + "actor_id", + "old_permission", + "_document_id", + "programmatic_access_type" + ] }, { "action": "org.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "org.update_member", "description": "A person's role was changed from owner to member or member to owner.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "org_id", + "created_at", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "actor_id", + "old_permission", + "permission", + "actor", + "user_agent", + "operation_type", + "org" + ] }, { "action": "org.update_member_repository_creation_permission", "description": "The create repository permission for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "@timestamp", + "request_id", + "actor_id", + "permission", + "created_at", + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" + ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "org.update_new_repository_default_branch_setting", "description": "The name of the default branch was changed for new repositories in the organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization" }, { "action": "org.update_repo_self_hosted_runners_policy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_repo_runners_policy", + "new_repo_runners_policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.update_saml_provider_settings", "description": "An organization's SAML provider settings were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "sso_url", + "actor_id", + "operation_type", + "@timestamp", + "issuer", + "org", + "_document_id", + "actor", + "org_id", + "created_at", + "request_id", + "action" + ] }, { "action": "org.update_terms_of_service", "description": "An organization changed between the Standard Terms of Service and the GitHub Customer Agreement.", "docs_reference_links": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement", + "fields": [ + "request_id", + "org_id", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org", + "action", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement" }, { "action": "organization_default_label.create", "description": "A default label was created for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#creating-a-default-label", + "fields": [ + "request_id", + "actor_id", + "actor", + "org", + "org_id", + "operation_type", + "_document_id", + "action", + "created_at", + "@timestamp", + "user_agent", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#creating-a-default-label" }, { "action": "organization_default_label.destroy", "description": "A default label was deleted for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#deleting-a-default-label", + "fields": [ + "operation_type", + "request_id", + "actor", + "@timestamp", + "_document_id", + "actor_id", + "org_id", + "org", + "action", + "created_at", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#deleting-a-default-label" }, { "action": "organization_default_label.update", "description": "A default label was edited for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#editing-a-default-label", + "fields": [ + "org", + "created_at", + "@timestamp", + "actor", + "action", + "user_agent", + "actor_id", + "org_id", + "operation_type", + "request_id", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#editing-a-default-label" }, { "action": "organization_domain.approve", "description": "A domain was approved for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization" }, { "action": "organization_domain.create", "description": "A domain was added to an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "created_at", + "_document_id", + "domain_name", + "action", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "user_agent", + "actor" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "organization_domain.destroy", "description": "A domain was removed from an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain", + "fields": [ + "action", + "domain_name", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "created_at" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain" }, { "action": "organization_domain.verify", "description": "A domain was verified for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "operation_type", + "domain_name", + "@timestamp", + "user_agent", + "request_id", + "actor", + "action", + "created_at", + "_document_id", + "actor_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "organization_moderators.add_team", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "organization_moderators.add_user", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "organization_moderators.remove_team", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "organization_moderators.remove_user", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type" + ] }, { "action": "organization_projects_change.clear", "description": "An enterprise owner cleared the policy setting for organization-wide project boards in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "actor", + "business_id", + "@timestamp", + "actor_id", + "user", + "user_id", + "action", + "user_agent", + "_document_id", + "created_at", + "operation_type", + "request_id", + "business" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_projects_change.disable", "description": "Organization projects were disabled for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "org_id", + "action", + "user", + "org", + "created_at", + "user_agent", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "actor", + "user_id", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_projects_change.enable", "description": "Organization projects were enabled for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "actor_id", + "org_id", + "created_at", + "user_id", + "org", + "@timestamp", + "_document_id", + "user_agent", + "actor", + "request_id", + "user", + "action", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_role.assign", "description": "An organization role was assigned to a user or team.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "organization_role_id", + "organization_role_name", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.create", "description": "A custom organization role was created in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.destroy", "description": "A custom organization role was deleted in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.revoke", "description": "A user or team was unassigned an organization role.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "organization_role_id", + "organization_role_name", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.update", "description": "A custom organization role was edited in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "old_role_permissions", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "old_base_role" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_wide_project_base_role.update", "description": "An organization's default project base role was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_project_base_role", + "new_project_base_role", + "business", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "packages.package_deleted", "description": "An entire package was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_published", "description": "A package was published or republished to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "ecosystem", + "version_count", + "is_republished", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "packages.package_version_deleted", "description": "A specific package version was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "version", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "ecosystem", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_version_published", "description": "A specific package version was published or republished to a package.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "ecosystem", + "package", + "version", + "actor_id", + "user_agent", + "is_republished", + "actor", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "payment_method.create", "description": "A new payment method was added, such as a new credit card or PayPal account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", + "_document_id", + "action", + "actor", + "actor_id", + "@timestamp", + "created_at", + "request_access_security_header" + ] }, { "action": "payment_method.remove", "description": "A payment method was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", + "operation_type", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "payment_method.update", "description": "An existing payment method was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", + "@timestamp", + "action", + "actor", + "org", + "user_agent", + "_document_id", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.access_restriction_disabled", "description": "The configured restriction for access to resources via personal access tokens was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_restriction_enabled", "description": "The configured restriction for access to resources via personal access tokens was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.auto_approve_grant_requests_disabled", "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "personal_access_token.auto_approve_grant_requests_enabled", "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "personal_access_token.expiration_limit_set", "description": "A personal access token expiration limit was set.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "token_expiration", + "old_token_expiration", + "exempt_administrators", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.expiration_limit_unset", "description": "A personal access token expiration limit was unset.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "old_token_expiration", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "prebuild_configuration.create", "description": "A GitHub Codespaces prebuild configuration for a repository was created.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.destroy", "description": "A GitHub Codespaces prebuild configuration for a repository was deleted.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.run_triggered", "description": "A user initiated a run of a GitHub Codespaces prebuild configuration for a repository branch.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.update", "description": "A GitHub Codespaces prebuild configuration for a repository was edited.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "premium_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_repository_forking.clear", "description": "An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user_id", + "action", + "operation_type", + "@timestamp", + "business_id", + "actor_id", + "user", + "business", + "request_id", + "actor", + "created_at", + "_document_id" + ] }, { "action": "private_repository_forking.disable", "description": "An enterprise owner disabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are never allowed to be forked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "created_at", + "actor_id", + "_document_id", + "actor", + "user", + "repo", + "action", + "user_agent", + "@timestamp", + "org", + "operation_type", + "request_id", + "user_id", + "org_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "private_repository_forking.enable", "description": "An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_id", + "operation_type", + "_document_id", + "action", + "@timestamp", + "repo", + "org", + "business", + "user_agent", + "request_id", + "actor", + "repo_id", + "user", + "org_id", + "created_at", + "business_id" + ] }, { "action": "private_vulnerability_reporting.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { "action": "project.access", "description": "A project board visibility was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "user_agent", + "operation_type", + "user", + "created_at", + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" + ] }, { "action": "project_base_role.update", "description": "A project's base role was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_project_base_role", + "new_project_base_role", + "project_number", + "public_project", + "business", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { "action": "project_collaborator.add", "description": "A collaborator was added to a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "org", + "org_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "public_project", + "project_name", + "project_role", + "old_project_role", + "request_access_security_header" + ] }, { "action": "project_collaborator.remove", "description": "A collaborator was removed from a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project_collaborator.update", "description": "A project collaborator's permission level was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "public_project", + "project_name", + "collaborator_type", + "project_role", + "old_project_role", + "project_id", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project.create", "description": "A project board was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user", + "_document_id", + "request_id", + "user_id", + "user_agent", + "@timestamp", + "actor_id", + "action", + "created_at", + "actor" + ] }, { "action": "project.delete", "description": "A project board was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "actor_id", + "operation_type", + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" + ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { "action": "project.link", "description": "A repository was linked to a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "action", + "actor_id", + "org_id", + "user_agent", + "request_id", + "actor", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" + ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { "action": "project.rename", "description": "A project board was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", + "@timestamp", + "repo", + "_document_id", + "user_agent", + "org_id", + "business_id", + "actor", + "repo_id", + "org", + "business" + ] }, { "action": "project.unlink", "description": "A repository was unlinked from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "operation_type", + "actor", + "action", + "created_at", + "actor_id", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "org", + "org_id" + ] }, { "action": "project.update_org_permission", "description": "The project's base-level permission for all organization members was changed or removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" + ] }, { "action": "project.update_team_permission", "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org_id", + "operation_type", + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" + ] }, { "action": "project.update_user_permission", "description": "A user was added to or removed from a project board or had their permission level changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "operation_type", + "@timestamp", + "actor_id", + "user", + "user_agent", + "actor", + "created_at", + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" + ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project.visibility_private", "description": "A project's visibility was changed from public to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name" + ] }, { "action": "project.visibility_public", "description": "A project's visibility was changed from private to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name", + "request_access_security_header" + ] }, { "action": "protected_branch.authorized_users_teams", "description": "The users, teams, or integrations allowed to bypass a branch protection were changed.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "fields": [ + "repo", + "action", + "org_id", + "user_agent", + "name", + "created_at", + "_document_id", + "operation_type", + "actor", + "repo_id", + "org", + "request_id", + "actor_id", + "oauth_application_id", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches" }, { "action": "protected_branch.branch_allowances", "description": "A protected branch allowance was given to a specific user, team or integration.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "name", + "authorized_actors", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "protected_branch.create", "description": "Branch protection was enabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "repo_id", + "user_id", + "@timestamp", + "user_agent", + "repo", + "name", + "org_id", + "user", + "_document_id", + "request_id", + "actor", + "actor_id", + "org", + "action", + "created_at", + "authorized_actor_names", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.destroy", "description": "Branch protection was disabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "repo", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "repo_id", + "org_id", + "operation_type", + "action", + "user_agent", + "created_at", + "_document_id", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.dismiss_stale_reviews", "description": "Enforcement of dismissing stale pull requests was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "dismiss_stale_reviews_on_push", + "org_id", + "action", + "created_at", + "request_id", + "_document_id", + "@timestamp", + "actor_id", + "repo_id", + "operation_type", + "actor", + "repo", + "org", + "name", + "programmatic_access_type" + ] }, { "action": "protected_branch.dismissal_restricted_users_teams", "description": "Enforcement of restricting users and/or teams who can dismiss reviews was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "actor", + "oauth_application_id", + "authorized_actors_only", + "authorized_actors", + "created_at", + "user_agent", + "name", + "_document_id", + "org_id", + "request_id", + "@timestamp", + "actor_id", + "org", + "action", + "operation_type", + "programmatic_access_type" + ] }, { "action": "protected_branch.policy_override", "description": "A branch protection requirement was overridden by a repository administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "created_at", + "actor", + "reasons", + "@timestamp", + "before", + "after", + "actor_id", + "repo", + "operation_type", + "user_agent", + "branch", + "overridden_codes", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "referrer", + "business", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "rule_suite_id" + ] }, { "action": "protected_branch.rejected_ref_update", "description": "A branch update attempt was rejected.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "@timestamp", + "created_at", + "_document_id", + "business", + "org_id", + "operation_type", + "request_id", + "repo_id", + "actor", + "branch", + "before", + "overridden_codes", + "after", + "action", + "reasons", + "actor_id", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "actor_is_bot", + "rule_suite_id" + ] }, { "action": "protected_branch.update_admin_enforced", "description": "Branch protection was enforced for repository administrators.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "admin_enforced", + "operation_type", + "user_agent", + "actor", + "org", + "name", + "repo", + "@timestamp", + "action", + "repo_id", + "org_id", + "_document_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_allow_deletions_enforcement_level", "description": "Branch deletion was enabled or disabled for a protected branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "operation_type", + "request_id", + "repo", + "@timestamp", + "org_id", + "org", + "action", + "allow_deletions_enforcement_level", + "_document_id", + "created_at", + "actor_id", + "user_agent", + "actor", + "repo_id", + "request_access_security_header" + ] }, { "action": "protected_branch.update_allow_force_pushes_enforcement_level", "description": "Force pushes were enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "actor_id", + "name", + "_document_id", + "actor", + "repo", + "operation_type", + "request_id", + "allow_force_pushes_enforcement_level", + "@timestamp", + "org", + "action", + "created_at", + "user_agent", + "repo_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_ignore_approvals_from_contributors", "description": "Ignoring of approvals from contributors to a pull request was enabled or disabled for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "ignore_approvals_from_contributors", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "protected_branch.update_linear_history_requirement_enforcement_level", "description": "Required linear commit history was enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "operation_type", + "actor", + "linear_history_requirement_enforcement_level", + "repo", + "request_id", + "name", + "org_id", + "repo_id", + "org", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_lock_allows_fetch_and_merge", "description": "Fork syncing was enabled or disabled for a read-only branch", "docs_reference_links": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "lock_allows_fetch_and_merge", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_lock_branch_enforcement_level", "description": "The enforcement of a branch lock was updated.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "enforcement_level", + "lock_branch_enforcement_level", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { "action": "protected_branch.update_name", "description": "A branch name pattern was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "old_name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "protected_branch.update_pull_request_reviews_enforcement_level", "description": "Enforcement of required pull request reviews was updated for a branch. Can be 0 (deactivated), 1 (non-admins), or 2 (everyone).", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "org_id", + "_document_id", + "actor_id", + "@timestamp", + "business_id", + "request_id", + "pull_request_reviews_enforcement_level", + "org", + "repo", + "action", + "business", + "user_agent", + "created_at", + "repo_id", + "operation_type", + "actor", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_code_owner_review", "description": "Enforcement of required code owner review was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "created_at", + "require_code_owner_review", + "operation_type", + "name", + "user_agent", + "action", + "@timestamp", + "actor", + "actor_id", + "repo", + "request_id", + "org", + "repo_id", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_last_push_approval", "description": "Someone other than the person who pushed the last code-modifying commit to the branch must approve pull requests for the branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "require_last_push_approval", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging" }, { "action": "protected_branch.update_required_approving_review_count", "description": "Enforcement of the required number of approvals before merging was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "required_approving_review_count", + "repo", + "request_id", + "repo_id", + "created_at", + "actor", + "operation_type", + "user_agent", + "name", + "org_id", + "action", + "actor_id", + "_document_id", + "org", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_required_status_checks_enforcement_level", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "user_agent", + "@timestamp", + "_document_id", + "name", + "repo", + "action", + "business_id", + "repo_id", + "business", + "actor_id", + "operation_type", + "created_at", + "request_id", + "required_status_checks_enforcement_level", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_signature_requirement_enforcement_level", "description": "Enforcement of required commit signing was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "name", + "@timestamp", + "created_at", + "_document_id", + "request_id", + "repo_id", + "org", + "org_id", + "action", + "actor", + "actor_id", + "signature_requirement_enforcement_level", + "repo", + "user_agent", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_strict_required_status_checks_policy", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "_document_id", + "org", + "@timestamp", + "created_at", + "repo_id", + "org_id", + "user_agent", + "name", + "actor", + "repo", + "operation_type", + "action", + "strict_required_status_checks_policy", + "programmatic_access_type" + ] }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verify", "description": "A user account's SSH key or a repository's deploy key was verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "pull_request.close", "description": "A pull request was closed without being merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request" }, { "action": "pull_request.converted_to_draft", "description": "A pull request was converted to a draft.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft" }, { "action": "pull_request.create", "description": "A pull request was created.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request" }, { "action": "pull_request.create_review_request", "description": "A review was requested on a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.in_progress", "description": "A pull request was marked as in progress.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "pull_request.indirect_merge", "description": "A pull request was considered merged because the pull request's commits were merged into the target branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request.merge", "description": "A pull request was merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request" }, { "action": "pull_request.ready_for_review", "description": "A pull request was marked as ready for review.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review" }, { "action": "pull_request.rebase", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "pull_request_url", + "pull_request_title", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request.remove_review_request", "description": "A review request was removed from a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.reopen", "description": "A pull request was reopened after previously being closed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.create", "description": "A review comment was added to a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "comment_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request_review_comment.delete", "description": "A review comment on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "actor", + "@timestamp", + "_document_id", + "repo", + "created_at", + "request_id", + "comment_id", + "actor_id", + "repo_id", + "action", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.update", "description": "A review comment on a pull request was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "request_id", + "actor_id", + "action", + "created_at", + "actor", + "_document_id", + "@timestamp", + "comment_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review.delete", "description": "A review on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request_review.dismiss", "description": "A review on a pull request was dismissed.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review" }, { "action": "pull_request_review.submit", "description": "A review on a pull request was submitted.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.change_merge_setting", "description": "Pull request merge options were changed for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", + "@timestamp", + "_document_id", + "actor_id", + "operation_type", + "action", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { "action": "repo.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_third_party_tools_disabled", "description": "Autofix for third party tools for code scanning alerts was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_third_party_tools_enabled", "description": "Autofix for third party tools for code scanning alerts was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { "action": "repo.codeql_disabled", "description": "Code scanning using the default setup was disabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_enabled", "description": "Code scanning using the default setup was enabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "query_suite", + "threat_model", + "languages", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_updated", "description": "Code scanning using the default setup was updated for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "query_suite", + "threat_model", + "languages", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codespaces_trusted_repo_access_granted", "description": "GitHub Codespaces was granted trusted repository access to this repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "repo.codespaces_trusted_repo_access_revoked", "description": "GitHub Codespaces trusted repository access to this repository was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" }, { "action": "repo.create_actions_secret", "description": "A GitHub Actions secret was created for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { "action": "repo.download_zip", "description": "A source code archive of a repository was downloaded as a ZIP file.", "docs_reference_links": "/repositories/working-with-files/using-files/downloading-source-code-archives", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/working-with-files/using-files/downloading-source-code-archives" }, { "action": "repo.pages_cname", "description": "A GitHub Pages custom domain was modified in a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "@timestamp", + "visibility", + "repo", + "repo_id", + "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", + "created_at", + "_document_id", + "action", + "operation_type", + "old_cname", + "programmatic_access_type" + ] }, { "action": "repo.pages_create", "description": "A GitHub Pages site was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "_document_id", + "user_id", + "visibility", + "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", + "actor", + "repo", + "programmatic_access_type" + ] }, { "action": "repo.pages_destroy", "description": "A GitHub Pages site was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "user_id", + "action", + "request_id", + "user", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", + "visibility", + "operation_type", + "repo_id", + "programmatic_access_type" + ] }, { "action": "repo.pages_https_redirect_disabled", "description": "HTTPS redirects were disabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "actor_id", + "repo_id", + "_document_id", + "user_agent", + "actor", + "visibility", + "user_id", + "request_id", + "repo", + "@timestamp", + "operation_type", + "action", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_https_redirect_enabled", "description": "HTTPS redirects were enabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "user_id", + "created_at", + "visibility", + "actor", + "actor_id", + "user", + "operation_type", + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" + ] }, { "action": "repo.pages_private", "description": "A GitHub Pages site visibility was changed to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_public", "description": "A GitHub Pages site visibility was changed to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete", "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete_restore", "description": "A GitHub Pages site that was previously soft-deleted was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_source", "description": "A GitHub Pages source was modified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "repo_id", + "user", + "_document_id", + "request_id", + "visibility", + "repo", + "created_at", + "action", + "programmatic_access_type" + ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.remove_integration_secret", "description": "A Codespaces or Dependabot secret was deleted for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "repo.remove_topic", "description": "A topic was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", + "actor", + "business", + "request_id", + "repo", + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" + ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { "action": "repo.rename_branch", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "old_branch", + "new_branch", + "default_branch", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.restore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "action", + "_document_id", + "actor_id", + "user", + "operation_type", + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" + ] }, { "action": "repo.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "repo_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "repo.staff_unlock", "description": "An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "created_at", + "actor", + "repo_id", + "action", + "org", + "org_id", + "request_id", + "repo", + "operation_type" + ] }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { "action": "repo.transfer_outgoing", "description": "A repository was transferred to another repository network.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.transfer_start", "description": "A user sent a request to transfer a repository to another user or organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "operation_type", + "user_id", + "request_id", + "user", + "action", + "user_agent", + "created_at", + "actor", + "visibility", + "repo_id", + "actor_id", + "repo", + "request_access_security_header" + ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.update_actions_access_settings", "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "old_policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.update_actions_settings", "description": "A repository administrator changed GitHub Actions policy settings for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.update_default_branch", "description": "The default branch for a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.update_member", "description": "A user's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "_document_id", + "actor", + "repo_id", + "created_at", + "oauth_application_id", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", + "visibility", + "old_permission", + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_advisory.close", "description": "Someone closed a security advisory.", "docs_reference_links": "/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories", + "fields": [ + "actor", + "repo", + "@timestamp", + "business", + "business_id", + "user_agent", + "actor_id", + "request_id", + "action", + "operation_type", + "created_at", + "repo_id", + "_document_id", + "org", + "org_id", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories" }, { "action": "repository_advisory.cve_request", "description": "Someone requested a CVE (Common Vulnerabilities and Exposures) number from GitHub for a draft security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "repo", + "org_id", + "actor", + "action", + "request_id", + "org", + "operation_type", + "@timestamp", + "user_agent", + "actor_id", + "_document_id", + "created_at" + ] }, { "action": "repository_advisory.github_broadcast", "description": "GitHub made a security advisory public in the GitHub Advisory Database.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "repository_advisory.github_withdraw", "description": "GitHub withdrew a security advisory that was published in error.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repository_advisory.open", "description": "Someone opened a draft security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "actor_id", + "actor", + "repo", + "created_at", + "_document_id", + "repo_id", + "action", + "@timestamp", + "request_id", + "request_access_security_header" + ] }, { "action": "repository_advisory.publish", "description": "Someone published a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "actor_id", + "@timestamp", + "actor", + "repo_id", + "_document_id", + "repo", + "business_id", + "business", + "request_id", + "action", + "created_at", + "org_id", + "org" + ] }, { "action": "repository_advisory.reopen", "description": "Someone reopened as draft security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "repo", + "action", + "created_at", + "@timestamp", + "request_id", + "actor_id", + "_document_id", + "actor", + "repo_id", + "public_repo" + ] }, { "action": "repository_advisory.update", "description": "Someone edited a draft or published security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "repo_id", + "org_id", + "business", + "actor", + "user_agent", + "created_at", + "_document_id", + "business_id", + "repo", + "action", + "operation_type", + "org", + "@timestamp", + "request_id" + ] }, { "action": "repository_branch_protection_evaluation.disable", "description": "Branch protections were disabled for the repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_branch_protection_evaluation.enable", "description": "Branch protections were enabled for this repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_content_analysis.disable", "description": "Data use settings were disabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "user", + "repo_id", + "request_id", + "actor_id", + "created_at", + "user_agent", + "action", + "operation_type", + "actor", + "repo", + "user_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_content_analysis.enable", "description": "Data use settings were enabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "user", + "org", + "user_id", + "repo_id", + "@timestamp", + "request_id", + "actor", + "action", + "operation_type", + "created_at", + "actor_id", + "repo", + "user_agent", + "org_id", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_dependency_graph.disable", "description": "The dependency graph was disabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-fea tures-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "repo_id", + "operation_type", + "user_id", + "repo", + "_document_id", + "actor", + "user", + "action", + "@timestamp", + "org_id", + "actor_id", + "org", + "created_at", + "user_agent", + "request_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-fea, tures-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_dependency_graph.enable", "description": "The dependency graph was enabled for a private repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user", + "org", + "org_id", + "action", + "repo", + "user_id", + "created_at", + "user_agent", + "actor_id", + "repo_id", + "operation_type", + "actor", + "@timestamp", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_image.create", "description": "An image to represent a repository was uploaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", + "action", + "request_id", + "actor", + "content_type", + "repo", + "@timestamp", + "_document_id", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "repository_image.destroy", "description": "An image to represent a repository was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", + "_document_id", + "actor", + "repo_id", + "user_agent", + "repo", + "user", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "repository_invitation.accept", "description": "An invitation to join a repository was accepted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "created_at", + "request_id", + "repo", + "invitee", + "operation_type", + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.cancel", "description": "An invitation to join a repository was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "inviter", + "action", + "operation_type", + "_document_id", + "repo_id", + "repo", + "@timestamp", + "user_agent", + "invitee", + "created_at", + "request_id", + "actor", + "actor_id", + "request_access_security_header" + ] }, { "action": "repository_invitation.create", "description": "An invitation to join a repository was sent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", + "repo", + "created_at", + "user_agent", + "repo_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.reject", "description": "An invitation to join a repository was declined.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "_document_id", + "actor", + "invitee", + "action", + "@timestamp", + "request_id", + "actor_id", + "operation_type", + "created_at", + "inviter", + "user_agent", + "repo_id" + ] }, { "action": "repository_projects_change.clear", "description": "The repository projects policy was removed for an organization, or all organizations in the enterprise Organization owners can now control their repository projects settings.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise", + "fields": [ + "request_id", + "created_at", + "_document_id", + "action", + "user_agent", + "user", + "business_id", + "business", + "operation_type", + "actor", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "repository_projects_change.disable", "description": "Repository projects were disabled for a repository, all repositories in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "@timestamp", + "repo", + "action", + "operation_type", + "_document_id", + "actor_id", + "user", + "user_id", + "user_agent", + "repo_id", + "actor", + "request_id", + "programmatic_access_type" + ] }, { "action": "repository_projects_change.enable", "description": "Repository projects were enabled for a repository, all repositories in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "repo_id", + "org", + "request_id", + "user", + "user_agent", + "created_at", + "org_id", + "action", + "user_id", + "operation_type", + "_document_id", + "actor_id", + "repo" + ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { "action": "repository_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning.disable", "description": "Secret scanning was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "public_repo", + "programmatic_access_type" + ], "docs_reference_titles": "About secret scanning" }, { "action": "repository_secret_scanning.enable", "description": "Secret scanning was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "repository_secret_scanning_generic_secrets.disabled", "description": "Generic secrets have been disabled at the repository level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_secret_scanning_generic_secrets.enabled", "description": "Generic secrets have been enabled at the repository level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "repository_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.disable", "description": "Secret scanning push protection was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.enable", "description": "Secret scanning push protection was enabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_security_configuration.applied", "description": "A code security configuration was applied to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.failed", "description": "A code security configuration failed to attach to the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.removed", "description": "A code security configuration was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.removed_by_settings_change", "description": "A code security configuration was removed due to a change in repository or enterprise settings.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_visibility_change.clear", "description": "The repository visibility change setting was cleared for an organization or enterprise.", "docs_reference_links": "/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-changes-to-repository-visibility", + "fields": [ + "created_at", + "_document_id", + "request_id", + "actor_id", + "business", + "action", + "operation_type", + "user", + "user_id", + "business_id", + "@timestamp", + "user_agent", + "actor", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization, Enforcing repository management policies in your enterprise" }, { "action": "repository_visibility_change.disable", "description": "The ability for enterprise members to update a repository's visibility was disabled. Members are unable to change repository visibilities in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "org_id", + "created_at", + "user_agent", + "actor", + "actor_id", + "org", + "operation_type", + "_document_id", + "@timestamp", + "user_id", + "action", + "request_id", + "request_access_security_header" + ] }, { "action": "repository_visibility_change.enable", "description": "The ability for enterprise members to update a repository's visibility was enabled. Members are able to change repository visibilities in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "operation_type", + "_document_id", + "@timestamp", + "user_agent", + "user", + "created_at", + "org", + "org_id", + "action", + "actor_id", + "user_id", + "request_id" + ] }, { "action": "repository_vulnerability_alert.auto_dismiss", "description": "A Dependabot alert was automatically dismissed because its metadata matches an enabled Dependabot rule.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "alert_id", + "alert_number", + "ghsa_id", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "request_access_security_header" + ], "docs_reference_titles": "About Dependabot auto-triage rules" }, { "action": "repository_vulnerability_alert.auto_reopen", "description": "A previously auto-dismissed Dependabot alert was automatically reopened because its metadata no longer matches an enabled Dependabot rule.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "alert_id", + "alert_number", + "ghsa_id", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "request_access_security_header" + ], "docs_reference_titles": "About Dependabot auto-triage rules" }, { "action": "repository_vulnerability_alert.create", "description": "GitHub created a Dependabot alert because the repository uses a vulnerable dependency.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", + "fields": [ + "operation_type", + "request_id", + "repo_id", + "@timestamp", + "user_agent", + "alert_id", + "action", + "repo", + "created_at", + "_document_id", + "token_scopes", + "alert_number", + "programmatic_access_type" + ], "docs_reference_titles": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts" }, { "action": "repository_vulnerability_alert.dismiss", "description": "A Dependabot alert was manually dismissed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "org_id", + "user_id", + "request_id", + "@timestamp", + "operation_type", + "user_agent", + "alert_id", + "actor", + "repo", + "created_at", + "org", + "_document_id", + "action", + "actor_id", + "dismiss_reason", + "user", + "dismiss_comment", + "alert_number", + "actor_is_bot" + ] }, { "action": "repository_vulnerability_alert.reintroduce", "description": "A Dependabot alert was automatically reopened because the repository resumed use of a vulnerable dependency.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "alert_id", + "created_at", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "_document_id", + "@timestamp", + "operation_type", + "token_scopes", + "alert_number" + ] }, { "action": "repository_vulnerability_alert.reopen", "description": "A Dependabot alert was manually reopened.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "alert_id", + "created_at", + "action", + "repo", + "repo_id", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "operation_type", + "business", + "business_id", + "public_repo", + "alert_number", + "request_access_security_header" + ] }, { "action": "repository_vulnerability_alert.resolve", "description": "Changes were pushed to update and resolve a Dependabot alert in a project dependency.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "alert_id", + "repo", + "operation_type", + "action", + "repo_id", + "_document_id", + "user_agent", + "request_id", + "@timestamp", + "created_at", + "actor", + "actor_id", + "token_scopes", + "alert_number", + "programmatic_access_type" + ] }, { "action": "repository_vulnerability_alert.withdraw", "description": "A Dependabot alert was withdrawn.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "alert_id", + "alert_number", + "ghsa_id", + "created_at", + "active", + "action", + "repository_id", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "operation_type" + ] }, { "action": "repository_vulnerability_alerts.authorized_users_teams", "description": "The list of people or teams authorized to receive Dependabot alerts for the repository was updated.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts", + "fields": [ + "org", + "_document_id", + "repo", + "org_id", + "operation_type", + "created_at", + "actor", + "action", + "@timestamp", + "user_agent", + "repo_id", + "request_id", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts" }, { "action": "repository_vulnerability_alerts_auto_dismissal.disable", "description": "Automatic dismissal of low-impact Dependabot alerts was disabled for the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repository_vulnerability_alerts_auto_dismissal.enable", "description": "Automatic dismissal of low-impact Dependabot alerts was enabled for the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_vulnerability_alerts.disable", "description": "Dependabot alerts was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "request_id", + "repo_id", + "action", + "actor_id", + "@timestamp", + "created_at", + "actor", + "user_agent", + "org_id", + "user", + "org", + "_document_id", + "user_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_vulnerability_alerts.enable", "description": "Dependabot alerts was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_agent", + "created_at", + "@timestamp", + "repo_id", + "action", + "user", + "repo", + "org", + "org_id", + "actor_id", + "_document_id", + "user_id", + "operation_type", + "request_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "required_status_check.create", "description": "A status check was marked as required for a protected branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "fields": [ + "org", + "actor_id", + "@timestamp", + "business", + "request_id", + "context", + "repo_id", + "action", + "repo", + "_document_id", + "operation_type", + "business_id", + "org_id", + "actor", + "created_at", + "user_agent", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging" }, { "action": "required_status_check.destroy", "description": "A status check was no longer marked as required for a protected branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "fields": [ + "actor_id", + "actor", + "created_at", + "context", + "operation_type", + "@timestamp", + "request_id", + "org", + "user_agent", + "repo_id", + "org_id", + "action", + "_document_id", + "repo", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging" }, { "action": "restrict_notification_delivery.disable", "description": "Email notification restrictions for an organization or enterprise were disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "restrict_notification_delivery.enable", "description": "Email notification restrictions for an organization or enterprise were enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "role.create", "description": "A new custom repository role was created.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "owner", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "role_permissions", + "old_role_permissions" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "role.destroy", "description": "A custom repository role was deleted.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "role.update", "description": "A custom repository role was edited.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "old_role_permissions", + "old_base_role" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "secret_scanning_alert.create", "description": "GitHub detected a secret and created a secret scanning alert.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning_alert.public_leak", "description": "A secret scanning alert was leaked in a public repo.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "created_at" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning_alert.reopen", "description": "A secret scanning alert was reopened.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type_display_name" + ] }, { "action": "secret_scanning_alert.report", "description": "A leaked secret was reported to the secret's provider by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "created_at", + "secret_type_display_name", + "secret_type_provider", + "report_result" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts" }, { "action": "secret_scanning_alert.resolve", "description": "A secret scanning alert was resolved.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "resolution", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_access_security_header" + ] }, { "action": "secret_scanning_alert.revoke", "description": "A secret scanning alert was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "secret_scanning_alert.validate", "description": "A secret scanning alert was validated.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "previous_validity", + "current_validity", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning.disable", "description": "Secret scanning was disabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning.enable", "description": "Secret scanning was enabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.disable", "description": "Secret scanning was disabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.enable", "description": "Secret scanning was enabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_push_protection.bypass", "description": "Triggered when a user bypasses the push protection on a secret detected by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#bypassing-push-protection-for-a-secret", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "push_protection_bypass_reason", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_reviewer", + "request_reviewer_id" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.approve", "description": "A request to bypass secret scanning push protection was approved by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.deny", "description": "A request to bypass secret scanning push protection was denied by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header", + "request_reviewer_comment" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.request", "description": "A user requested to bypass secret scanning push protection.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "security_configuration.create", "description": "A security configuration was created", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "security_configuration_default.delete", "description": "A default security configuration setting for new repositories was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "security_configuration_default.update", "description": "A default security configuration setting for new repositories was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "security_configuration.delete", "description": "A security configuration was deleted", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "security_configuration_policy.update", "description": "A security configuration policy was updated", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enforcement", + "security_configuration_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "security_configuration.update", "description": "A security configuration was updated", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "sponsors.agreement_sign", "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.fiscal_host_change", "description": "The fiscal host for a GitHub Sponsors listing was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.invoiced_agreement_sign", "description": "An agreement for invoiced billing for GitHub Sponsors was signed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/paying-for-github-sponsors-by-invoice", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/paying-for-github-sponsors-by-invoice" }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_disable", "description": "A GitHub Sponsors account was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { "action": "sponsors.sponsored_developer_redraft", "description": "A GitHub Sponsors account was returned to draft state from approved state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id", + "actor", + "actor_id", + "user_id" + ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { "action": "sponsors.update_tier_repository", "description": "A GitHub Sponsors tier changed access for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.update_tier_welcome_message", "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.withdraw_agreement_signature", "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ssh_certificate_authority.create", "description": "An SSH certificate authority for an organization or enterprise was created.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "@timestamp", + "_document_id", + "fingerprint", + "operation_type", + "openssh_public_key", + "org_id", + "actor", + "created_at", + "org", + "action", + "user_agent", + "actor_id", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_authority.destroy", "description": "An SSH certificate authority for an organization or enterprise was deleted.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "created_at", + "_document_id", + "fingerprint", + "operation_type", + "actor", + "org_id", + "openssh_public_key", + "org", + "action", + "user_agent", + "actor_id", + "@timestamp", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.disable", "description": "The requirement for members to use SSH certificates to access an organization resources was disabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "user", + "user_agent", + "operation_type", + "_document_id", + "request_id", + "org", + "org_id", + "created_at", + "actor", + "action", + "user_id", + "business", + "business_id", + "@timestamp", + "actor_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.enable", "description": "The requirement for members to use SSH certificates to access an organization resources was enabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "actor_id", + "user_id", + "org", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user", + "action", + "org_id", + "created_at", + "user_agent" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "staff.dependabot_debug_credentials_generated", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "staff.set_domain_token_expiration", "description": "The verification code expiry time for an organization or enterprise domain was set.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "business_id", + "token_expires_at", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "staff.unverify_domain", "description": "An organization or enterprise domain was unverified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "staff.verify_domain", "description": "An organization or enterprise domain was verified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "domain_name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "team.add_member", "description": "A member of an organization was added to a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team", + "fields": [ + "user_agent", + "request_id", + "org_id", + "user_id", + "team", + "user", + "@timestamp", + "actor_id", + "created_at", + "operation_type", + "_document_id", + "org", + "action", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team" }, { "action": "team.add_repository", "description": "A team was given access and permissions to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "team", + "action", + "operation_type", + "request_id", + "created_at", + "@timestamp", + "org", + "repo", + "actor_id", + "_document_id", + "repo_id", + "user_agent", + "org_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "team.change_parent_team", "description": "A child team was created or a child team's parent was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy", + "fields": [ + "org", + "@timestamp", + "created_at", + "_document_id", + "team", + "action", + "operation_type", + "actor", + "request_id", + "actor_id", + "user_agent", + "org_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy" }, { "action": "team.change_privacy", "description": "A team's privacy level was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/changing-team-visibility", + "fields": [ + "user_agent", + "request_id", + "org", + "action", + "team", + "created_at", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "actor", + "_document_id" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility" }, { "action": "team.create", "description": "A new team is created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "org_id", + "user_agent", + "team", + "org", + "actor", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "team.demote_maintainer", "description": "A user was demoted from a team maintainer to a team member.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member" }, { "action": "team.destroy", "description": "A team was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "team", + "org_id", + "actor_id", + "actor", + "action", + "@timestamp", + "user_agent", + "request_id", + "operation_type", + "_document_id", + "programmatic_access_type" + ] }, { "action": "team_discussions.clear", "description": "An organization owner cleared the setting to allow team discussions for an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "business_id", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "actor_id", + "user", + "business", + "action", + "request_id", + "created_at", + "user_id", + "_document_id" + ] }, { "action": "team_discussions.disable", "description": "Team discussions were disabled for an organization.", "docs_reference_links": "/organizations/organizing-members-into-teams/disabling-team-discussions-for-your-organization", + "fields": [ + "org_id", + "action", + "operation_type", + "request_id", + "actor", + "org", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "_document_id" + ], "docs_reference_titles": "Organizations and teams documentation" }, { "action": "team_discussions.enable", "description": "Team discussions were enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "@timestamp", + "action", + "_document_id", + "user_agent", + "user_id", + "business_id", + "request_id", + "user", + "business", + "operation_type", + "actor", + "created_at" + ] }, { "action": "team_group_mapping.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "actor", + "action", + "operation_type", + "team", + "@timestamp", + "actor_id", + "org", + "_document_id", + "org_id", + "user_agent", + "request_id", + "request_access_security_header" + ] }, { "action": "team_group_mapping.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "@timestamp", + "actor_id", + "_document_id", + "team", + "created_at", + "org_id", + "action", + "request_id", + "user_agent", + "actor", + "org", + "request_access_security_header" + ] }, { "action": "team_group_mapping.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "team.promote_maintainer", "description": "A user was promoted from a team member to a team maintainer.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer" }, { "action": "team.remove_member", "description": "An organization member was removed from a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team", + "fields": [ + "request_id", + "operation_type", + "created_at", + "actor_id", + "org", + "org_id", + "team", + "user_id", + "actor", + "user", + "action", + "@timestamp", + "user_agent", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team" }, { "action": "team.remove_repository", "description": "A repository was removed from a team's control.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "org_id", + "repo", + "repo_id", + "action", + "_document_id", + "actor", + "@timestamp", + "actor_id", + "user_agent", + "created_at", + "team", + "org", + "operation_type", + "programmatic_access_type" + ] }, { "action": "team.rename", "description": "A team's name was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "user_agent", + "created_at", + "team", + "operation_type", + "actor_id", + "org", + "action", + "request_id", + "actor", + "org_id", + "@timestamp", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "team_sync_tenant.disabled", "description": "Team synchronization with a tenant was disabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "action", + "created_at", + "actor", + "request_id", + "org_id", + "actor_id", + "operation_type", + "_document_id", + "@timestamp", + "org", + "user_agent" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team_sync_tenant.enabled", "description": "Team synchronization with a tenant was enabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "org_id", + "business_id", + "actor", + "created_at", + "user_agent", + "@timestamp", + "operation_type", + "business", + "actor_id", + "org", + "request_id", + "action", + "_document_id" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team_sync_tenant.update_okta_credentials", "description": "The Okta credentials for team synchronization with a tenant were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "team.update_repository_permission", "description": "A team's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "team", + "org_id", + "@timestamp", + "org", + "_document_id", + "old_permission", + "request_id", + "repo", + "action", + "repo_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "permission", + "new_repo_permission", + "new_repo_base_role", + "old_repo_permission", + "old_repo_base_role", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "vulnerability_alert_rule.create", "description": "A Dependabot rule was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "vulnerability_alert_rule.delete", "description": "A Dependabot rule was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "vulnerability_alert_rule.disable", "description": "A Dependabot rule was disabled for a single repository or disabled by default for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "vulnerability_alert_rule.enable", "description": "A Dependabot rule was enabled for a single repository or enabled by default for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "vulnerability_alert_rule.force_disable", "description": "A Dependabot rule was enabled for an organization and cannot be disabled for its repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "vulnerability_alert_rule.force_enable", "description": "A Dependabot rule was disabled for an organization and cannot be enabled for its repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "vulnerability_alert_rule.update", "description": "A Dependabot rule's conditions, actions, or metadata changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.bypass_protection_rules", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "workflows.cancel_workflow_run", "description": "A workflow run was cancelled.", "docs_reference_links": "/actions/managing-workflow-runs/canceling-a-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "cancelled_at", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Canceling a workflow" }, { "action": "workflows.comment_workflow_job", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.completed_workflow_run", "description": "A workflow status changed to completed. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "completed_at", + "conclusion", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Viewing workflow run history" }, { "action": "workflows.created_workflow_run", "description": "A workflow run was create. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/learn-github-actions/understanding-github-actions#create-an-example-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Understanding GitHub Actions" }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { "action": "workflows.disable_workflow", "description": "A workflow was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.enable_workflow", "description": "A workflow was enabled, after previously being disabled by disable_workflow.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "workflows.pin_workflow", "description": "A workflow was pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.prepared_workflow_job", "description": "A workflow job was started. Includes the list of secrets that were provided to the job. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/using-workflows/events-that-trigger-workflows", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "business_id", + "business", + "workflow_run_id", + "job_name", + "runner_labels", + "is_hosted_runner", + "environment_name", + "secrets_passed", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp", + "runner_owner_type", + "job_workflow_ref", + "calling_workflow_refs", + "calling_workflow_shas", + "imposer_repo" + ], "docs_reference_titles": "Events that trigger workflows" }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.rerun_workflow_run", "description": "A workflow run was re-run.", "docs_reference_links": "/actions/managing-workflow-runs/re-running-workflows-and-jobs", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "rerun_type", + "check_run_id", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Re-running workflows and jobs" }, { "action": "workflows.unpin_workflow", "description": "A workflow was unpinned after previously being pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/ghes-3.16/user.json b/src/audit-logs/data/ghes-3.16/user.json index a48f41ed60fb..337e51a9a637 100644 --- a/src/audit-logs/data/ghes-3.16/user.json +++ b/src/audit-logs/data/ghes-3.16/user.json @@ -2,2124 +2,8484 @@ { "action": "account.billing_date_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "operation_type", + "user_agent", + "_document_id", + "created_at", + "action", + "request_id", + "actor", + "actor_id", + "org_id" + ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { "action": "account_recovery_token.confirm", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "token_id", + "user_id", + "user", + "actor", + "operation_type" + ] }, { "action": "account_recovery_token.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "token_id", + "user", + "request_id", + "_document_id", + "user_agent", + "actor", + "user_id", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "account_recovery_token.recover", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "actor", + "user_agent", + "request_id", + "action", + "_document_id", + "user_id", + "token_id" + ] }, { "action": "actions_cache.delete", "description": "A GitHub Actions cache was deleted using the REST API.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "user_id", + "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "artifact.destroy", "description": "A workflow run artifact was manually deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_agent", + "actor_id", + "repo", + "repo_id", + "request_id", + "@timestamp", + "created_at", + "_document_id", + "operation_type", + "programmatic_access_type" + ] }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.lock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "@timestamp", + "actor_id", + "operation_type", + "_document_id", + "request_id", + "actor", + "user", + "user_id", + "user_agent", + "created_at", + "action" + ] }, { "action": "billing.unlock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "operation_type", + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "billing.update_bill_cycle_day", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.security_center_export_code_scanning_metrics", "description": "A CSV export was requested on the \"CodeQL pull request alerts\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.security_center_export_coverage", "description": "A CSV export was requested on the \"Coverage\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.security_center_export_overview_dashboard", "description": "A CSV export was requested on the \"Overview Dashboard\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.security_center_export_risk", "description": "A CSV export was requested on the \"Risk\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "business.set_actions_fork_pr_approvals_policy", "description": "The policy for requiring approvals for workflows from public forks was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "limit", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_fork_pr_workflows_policy", "description": "The policy for fork pull request workflows was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.delete_logs", "description": "Logs in a check suite were deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "actor_id", + "operation_type", + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" + ] }, { "action": "codespaces.allow_permissions", "description": "A codespace using custom permissions from its devcontainer.json file was launched.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "origin_repository", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.connect", "description": "Credentials for a codespace were refreshed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { "action": "codespaces.export_environment", "description": "A codespace was exported to a branch on GitHub.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "codespaces.restore", "description": "A codespace was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.start_environment", "description": "A codespace was started.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "org", + "owner", + "pull_request_id", + "machine_type", + "user_id", + "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "codespaces.suspend_environment", "description": "A codespace was stopped.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "copilot.cfb_seat_added", "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { "action": "copilot.cfb_seat_assignment_refreshed", "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_reused", "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_assignment_unassigned", "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "seat_assignment", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled_by_staff", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "custom_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_repository_access.repositories_updated", "description": "The repositories that Dependabot can access were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates.enable", "description": "Dependabot security updates were enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates_new_repos.enable", "description": "Dependabot security updates were enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph.enable", "description": "The dependency graph was enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph_new_repos.enable", "description": "The dependency graph was enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.delete", "description": "An environment was deleted.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_secret", "description": "A secret was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "gist.create", "description": "A gist was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "user", + "gist_id", + "@timestamp", + "created_at", + "operation_type", + "user_agent", + "actor", + "actor_id", + "visibility", + "action", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "gist.destroy", "description": "A gist was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "gist_id", + "visibility", + "created_at", + "_document_id", + "user", + "request_id", + "operation_type", + "actor", + "actor_id", + "action", + "user_agent", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "gist.visibility_change", "description": "The visibility of a gist was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "user", + "gist_id", + "actor_id", + "request_id", + "visibility", + "user_id", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "git_signing_ssh_public_key.create", "description": "An SSH key was added to a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "git_signing_ssh_public_key.delete", "description": "An SSH key was removed from a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "explanation", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "github_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "github_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "github_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "gpg_key.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "created_at", + "user_id", + "@timestamp", + "user", + "operation_type", + "_document_id", + "actor", + "action", + "user_agent", + "request_access_security_header" + ] }, { "action": "gpg_key.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor", + "actor_id", + "user", + "action", + "created_at", + "_document_id", + "user_agent", + "@timestamp", + "request_access_security_header" + ] }, { "action": "hook.active_changed", "description": "A hook's active status was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "hook.config_changed", "description": "A hook's configuration was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "name", + "org", + "user_agent", + "request_id", + "hook_id", + "repo", + "repo_id", + "created_at", + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { "action": "hook.destroy", "description": "A hook was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", + "operation_type", + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.events_changed", "description": "A hook's configured events were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "operation_type", + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "integration.create", "description": "A GitHub App was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "@timestamp", + "actor", + "user_agent", + "actor_id", + "request_id", + "name", + "user_id", + "_document_id", + "integration", + "created_at", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration.destroy", "description": "A GitHub App was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "actor_id", + "request_id", + "@timestamp", + "name", + "integration", + "user", + "_document_id", + "action", + "operation_type", + "created_at", + "user_agent" + ] }, { "action": "integration.generate_client_secret", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { "action": "integration.remove_client_secret", "description": "A client secret for a GitHub App was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "integration.revoke_all_tokens", "description": "All user tokens for a GitHub App were requested to be revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.revoke_tokens", "description": "Token(s) for a GitHub App were revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" }, { "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "marketplace_agreement_signature.create", "description": "The GitHub Marketplace Developer Agreement was signed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "actor_id", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "created_at", + "action", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "marketplace_listing.approve", "description": "A listing was approved for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "secondary_category", + "actor", + "primary_category", + "user", + "@timestamp", + "_document_id", + "user_id", + "user_agent", + "operation_type", + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" + ] }, { "action": "marketplace_listing.change_category", "description": "A category for a listing for an app in GitHub Marketplace was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", + "@timestamp", + "integration", + "org_id", + "action", + "org", + "secondary_category", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ] }, { "action": "marketplace_listing.create", "description": "A listing for an app in GitHub Marketplace was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", + "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", + "actor", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "marketplace_listing.delist", "description": "A listing was removed from GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "created_at", + "secondary_category", + "operation_type", + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" + ] }, { "action": "marketplace_listing_plan.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "actor", + "action", + "operation_type", + "marketplace_listing", + "has_free_trial", + "user_agent", + "request_id", + "actor_id", + "yearly_price_in_cents", + "description", + "bullets", + "monthly_price_in_cents", + "marketplace_listing_plan", + "_document_id" + ] }, { "action": "marketplace_listing_plan.publish", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "marketplace_listing_plan", + "marketplace_listing", + "description", + "bullets", + "has_free_trial", + "created_at", + "actor_id", + "operation_type", + "_document_id", + "action", + "user_agent", + "request_id", + "actor", + "monthly_price_in_cents", + "yearly_price_in_cents", + "@timestamp" + ] }, { "action": "marketplace_listing_plan.retire", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "marketplace_listing_plan", + "_document_id", + "request_id", + "description", + "yearly_price_in_cents", + "@timestamp", + "created_at", + "actor_id", + "bullets", + "has_free_trial", + "marketplace_listing", + "user_agent", + "monthly_price_in_cents", + "action", + "operation_type" + ] }, { "action": "marketplace_listing_plan.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "monthly_price_in_cents", + "marketplace_listing", + "_document_id", + "action", + "description", + "bullets", + "yearly_price_in_cents", + "request_id", + "actor_id", + "has_free_trial", + "marketplace_listing_plan", + "user_agent", + "@timestamp", + "operation_type", + "actor", + "created_at" + ] }, { "action": "marketplace_listing.redraft", "description": "A listing was sent back to draft state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", + "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", + "actor", + "created_at", + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" + ] }, { "action": "marketplace_listing.reject", "description": "A listing was not accepted for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "merge_queue.pull_request_dequeued", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "merge_queue.pull_request_queue_jump", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.queue_cleared", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.update_settings", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "metered_billing_configuration.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "_document_id", + "user_id", + "action", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "metered_billing_configuration.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "metered_billing_configuration.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "org", + "created_at", + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" + ] }, { "action": "migration.create", "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org_id", + "_document_id", + "org", + "repo_id", + "action", + "actor", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "oauth_access.create", "description": "An OAuth access token was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, /authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token", + "fields": [ + "_document_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "user", + "user_id", + "created_at", + "action", + "actor_id", + "request_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, Managing your personal access tokens" }, { "action": "oauth_access.destroy", "description": "An OAuth access token was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps", + "fields": [ + "@timestamp", + "user_agent", + "action", + "operation_type", + "_document_id", + "actor", + "created_at", + "user", + "user_id", + "request_id", + "explanation", + "hashed_token", + "actor_id", + "token_scopes", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_access.regenerate", "description": "An OAuth access token was regenerated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "_document_id", + "created_at", + "@timestamp", + "operation_type", + "action", + "user_agent", + "request_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "oauth_application_name" + ] }, { "action": "oauth_access.update", "description": "An OAuth access token was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "action", + "@timestamp", + "user", + "user_agent", + "request_access_security_header" + ] }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.generate_client_secret", "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_authorization.create", "description": "An authorization for an OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "operation_type", + "user_agent", + "user_id", + "actor", + "org_id", + "_document_id", + "request_id", + "action", + "@timestamp", + "created_at", + "actor_id", + "user", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_authorization.destroy", "description": "An authorization for an OAuth application was deleted.", "docs_reference_links": "/apps/using-github-apps/reviewing-your-authorized-integrations", + "fields": [ + "user_agent", + "_document_id", + "request_id", + "operation_type", + "@timestamp", + "actor", + "created_at", + "explanation", + "user", + "user_id", + "org_id", + "action", + "actor_id", + "token_scopes", + "actor_is_bot", + "oauth_application_name" + ], "docs_reference_titles": "Reviewing and revoking authorization of GitHub Apps" }, { "action": "oauth_authorization.update", "description": "An authorization for an OAuth application was updated.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "org_id", + "request_id", + "user_id", + "actor", + "actor_id", + "user_agent", + "@timestamp", + "operation_type", + "action", + "user", + "created_at", + "_document_id", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "org.add_member", "description": "A user joined an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "permission", + "_document_id", + "org", + "operation_type", + "request_id", + "actor", + "user", + "@timestamp", + "created_at", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "org.add_outside_collaborator", "description": "An outside collaborator was added to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "inviter", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.advanced_security_disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_disabled_on_all_repos", "description": "GitHub Advanced Security was disabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_on_all_repos", "description": "GitHub Advanced Security was enabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.remove_member", "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "actor_id", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", + "created_at", + "user", + "operation_type", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.security_center_export_code_scanning_metrics", "description": "A CSV export was requested on the CodeQL pull request alerts page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "org.security_center_export_coverage", "description": "A CSV export was requested on the Coverage page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_overview_dashboard", "description": "A CSV export was requested on the Overview Dashboard page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_risk", "description": "A CSV export was requested on the Risk page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "org.update_member", "description": "A person's role was changed from owner to member or member to owner.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "org_id", + "created_at", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "actor_id", + "old_permission", + "permission", + "actor", + "user_agent", + "operation_type", + "org" + ] }, { "action": "org.update_member_repository_creation_permission", "description": "The create repository permission for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "@timestamp", + "request_id", + "actor_id", + "permission", + "created_at", + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" + ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "passkey.register", "description": "A new passkey was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "passkey.remove", "description": "A new passkey was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "payment_method.create", "description": "A new payment method was added, such as a new credit card or PayPal account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", + "_document_id", + "action", + "actor", + "actor_id", + "@timestamp", + "created_at", + "request_access_security_header" + ] }, { "action": "payment_method.remove", "description": "A payment method was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", + "operation_type", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "payment_method.update", "description": "An existing payment method was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", + "@timestamp", + "action", + "actor", + "org", + "user_agent", + "_document_id", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.create", "description": "Triggered when you create a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "personal_access_token.credential_regenerated", "description": "Triggered when you regenerate a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.credential_revoked", "description": "A fine-grained personal access token was revoked by GitHub Advanced Security.", "docs_reference_links": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users", + "fields": [ + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users" }, { "action": "personal_access_token.destroy", "description": "Triggered when you delete a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "explanation", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.update", "description": "A fine-grained personal access token was updated.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens" }, { "action": "premium_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { "action": "project.access", "description": "A project board visibility was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "user_agent", + "operation_type", + "user", + "created_at", + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" + ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { "action": "project_collaborator.add", "description": "A collaborator was added to a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "org", + "org_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "public_project", + "project_name", + "project_role", + "old_project_role", + "request_access_security_header" + ] }, { "action": "project_collaborator.remove", "description": "A collaborator was removed from a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project_collaborator.update", "description": "A project collaborator's permission level was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "public_project", + "project_name", + "collaborator_type", + "project_role", + "old_project_role", + "project_id", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project.create", "description": "A project board was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user", + "_document_id", + "request_id", + "user_id", + "user_agent", + "@timestamp", + "actor_id", + "action", + "created_at", + "actor" + ] }, { "action": "project.delete", "description": "A project board was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "actor_id", + "operation_type", + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" + ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { "action": "project.link", "description": "A repository was linked to a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "action", + "actor_id", + "org_id", + "user_agent", + "request_id", + "actor", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" + ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { "action": "project.rename", "description": "A project board was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", + "@timestamp", + "repo", + "_document_id", + "user_agent", + "org_id", + "business_id", + "actor", + "repo_id", + "org", + "business" + ] }, { "action": "project.unlink", "description": "A repository was unlinked from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "operation_type", + "actor", + "action", + "created_at", + "actor_id", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "org", + "org_id" + ] }, { "action": "project.update_org_permission", "description": "The project's base-level permission for all organization members was changed or removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" + ] }, { "action": "project.update_team_permission", "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org_id", + "operation_type", + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" + ] }, { "action": "project.update_user_permission", "description": "A user was added to or removed from a project board or had their permission level changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "operation_type", + "@timestamp", + "actor_id", + "user", + "user_agent", + "actor", + "created_at", + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" + ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project.visibility_private", "description": "A project's visibility was changed from public to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name" + ] }, { "action": "project.visibility_public", "description": "A project's visibility was changed from private to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name", + "request_access_security_header" + ] }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verify", "description": "A user account's SSH key or a repository's deploy key was verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.change_merge_setting", "description": "Pull request merge options were changed for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", + "@timestamp", + "_document_id", + "actor_id", + "operation_type", + "action", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" }, { "action": "repo.create_actions_secret", "description": "A GitHub Actions secret was created for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { "action": "repo.pages_cname", "description": "A GitHub Pages custom domain was modified in a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "@timestamp", + "visibility", + "repo", + "repo_id", + "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", + "created_at", + "_document_id", + "action", + "operation_type", + "old_cname", + "programmatic_access_type" + ] }, { "action": "repo.pages_create", "description": "A GitHub Pages site was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "_document_id", + "user_id", + "visibility", + "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", + "actor", + "repo", + "programmatic_access_type" + ] }, { "action": "repo.pages_destroy", "description": "A GitHub Pages site was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "user_id", + "action", + "request_id", + "user", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", + "visibility", + "operation_type", + "repo_id", + "programmatic_access_type" + ] }, { "action": "repo.pages_https_redirect_disabled", "description": "HTTPS redirects were disabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "actor_id", + "repo_id", + "_document_id", + "user_agent", + "actor", + "visibility", + "user_id", + "request_id", + "repo", + "@timestamp", + "operation_type", + "action", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_https_redirect_enabled", "description": "HTTPS redirects were enabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "user_id", + "created_at", + "visibility", + "actor", + "actor_id", + "user", + "operation_type", + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" + ] }, { "action": "repo.pages_private", "description": "A GitHub Pages site visibility was changed to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_public", "description": "A GitHub Pages site visibility was changed to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete", "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete_restore", "description": "A GitHub Pages site that was previously soft-deleted was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_source", "description": "A GitHub Pages source was modified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "repo_id", + "user", + "_document_id", + "request_id", + "visibility", + "repo", + "created_at", + "action", + "programmatic_access_type" + ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.remove_integration_secret", "description": "A Codespaces or Dependabot secret was deleted for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "repo.remove_topic", "description": "A topic was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", + "actor", + "business", + "request_id", + "repo", + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" + ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { "action": "repo.restore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "action", + "_document_id", + "actor_id", + "user", + "operation_type", + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" + ] }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "repo.staff_unlock", "description": "An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "created_at", + "actor", + "repo_id", + "action", + "org", + "org_id", + "request_id", + "repo", + "operation_type" + ] }, { "action": "repo.temporary_access_granted", "description": "Temporary access was enabled for a repository.", "docs_reference_links": "/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing user-owned repositories in your enterprise" }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { "action": "repo.transfer_outgoing", "description": "A repository was transferred to another repository network.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.transfer_start", "description": "A user sent a request to transfer a repository to another user or organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "operation_type", + "user_id", + "request_id", + "user", + "action", + "user_agent", + "created_at", + "actor", + "visibility", + "repo_id", + "actor_id", + "repo", + "request_access_security_header" + ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.update_actions_access_settings", "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "old_policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.update_actions_settings", "description": "A repository administrator changed GitHub Actions policy settings for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.update_default_branch", "description": "The default branch for a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.update_member", "description": "A user's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "_document_id", + "actor", + "repo_id", + "created_at", + "oauth_application_id", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", + "visibility", + "old_permission", + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_image.create", "description": "An image to represent a repository was uploaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", + "action", + "request_id", + "actor", + "content_type", + "repo", + "@timestamp", + "_document_id", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "repository_image.destroy", "description": "An image to represent a repository was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", + "_document_id", + "actor", + "repo_id", + "user_agent", + "repo", + "user", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "repository_invitation.accept", "description": "An invitation to join a repository was accepted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "created_at", + "request_id", + "repo", + "invitee", + "operation_type", + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.cancel", "description": "An invitation to join a repository was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "inviter", + "action", + "operation_type", + "_document_id", + "repo_id", + "repo", + "@timestamp", + "user_agent", + "invitee", + "created_at", + "request_id", + "actor", + "actor_id", + "request_access_security_header" + ] }, { "action": "repository_invitation.create", "description": "An invitation to join a repository was sent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", + "repo", + "created_at", + "user_agent", + "repo_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.reject", "description": "An invitation to join a repository was declined.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "_document_id", + "actor", + "invitee", + "action", + "@timestamp", + "request_id", + "actor_id", + "operation_type", + "created_at", + "inviter", + "user_agent", + "repo_id" + ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { "action": "security_key.register", "description": "A security key was registered for an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "created_at", + "user_id", + "action", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user_agent", + "request_access_security_header" + ] }, { "action": "security_key.remove", "description": "A security key was removed from an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "operation_type", + "_document_id", + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "action", + "created_at", + "user", + "request_access_security_header" + ] }, { "action": "sponsors.agreement_sign", "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.fiscal_host_change", "description": "The fiscal host for a GitHub Sponsors listing was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_disable", "description": "A GitHub Sponsors account was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { "action": "sponsors.sponsored_developer_redraft", "description": "A GitHub Sponsors account was returned to draft state from approved state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id", + "actor", + "actor_id", + "user_id" + ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsored_developer_update_newsletter_send", "description": "Triggered when you send an email update to your sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors", + "fields": [ + "request_id", + "actor", + "action", + "user_agent", + "operation_type", + "_document_id", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { "action": "sponsors.update_tier_repository", "description": "A GitHub Sponsors tier changed access for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.update_tier_welcome_message", "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.waitlist_join", "description": "You join the waitlist to join GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "request_id", + "actor", + "user_id", + "user_agent", + "actor_id", + "action", + "operation_type", + "created_at", + "user", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.withdraw_agreement_signature", "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "successor_invitation.accept", "description": "Triggered when you accept a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.cancel", "description": "Triggered when you cancel a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.create", "description": "Triggered when you create a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.decline", "description": "Triggered when you decline a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "successor_invitation.revoke", "description": "Triggered when you revoke a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "trusted_device.register", "description": "A new trusted device was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "trusted_device.remove", "description": "A trusted device was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "two_factor_account_recovery.abort", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "action", + "request_id", + "user_id", + "@timestamp", + "_document_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "two_factor_account_recovery.complete", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "created_at", + "user_id", + "operation_type", + "user", + "_document_id", + "user_agent", + "action" + ] }, { "action": "two_factor_account_recovery.ignore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "created_at", + "user_id", + "operation_type", + "@timestamp", + "user", + "action" + ] }, { "action": "two_factor_account_recovery.staff_approve", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "action", + "_document_id" + ] }, { "action": "two_factor_account_recovery.staff_decline", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user", + "created_at", + "request_id", + "actor_id", + "_document_id" + ] }, { "action": "two_factor_account_recovery.start", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "user_id", + "action", + "_document_id", + "request_access_security_header" + ] }, { "action": "two_factor_account_recovery.two_factor_destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "user", + "_document_id", + "request_id" + ] }, { "action": "two_factor_authentication.add_factor", "description": "A secondary authentication factor was added to a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.disabled", "description": "Two-factor authentication was disabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/disabling-two-factor-authentication-for-your-personal-account", + "fields": [ + "actor", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "actor_id", + "created_at", + "operation_type", + "request_id", + "@timestamp", + "request_access_security_header" + ], "docs_reference_titles": "Disabling two-factor authentication for your personal account" }, { "action": "two_factor_authentication.enabled", "description": "Two-factor authentication was enabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "operation_type", + "user_agent", + "action", + "created_at", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Configuring two-factor authentication" }, { "action": "two_factor_authentication.password_reset_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user", + "user_id", + "action", + "@timestamp", + "request_id", + "_document_id", + "user_agent" + ] }, { "action": "two_factor_authentication.recovery_codes_regenerated", "description": "Two factor recovery codes were regenerated for a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "action", + "user", + "user_agent", + "actor_id", + "@timestamp", + "created_at" + ] }, { "action": "two_factor_authentication.remove_factor", "description": "A secondary authentication factor was removed from a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.sign_in_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "operation_type", + "user_id", + "user", + "user_agent", + "created_at", + "_document_id", + "action", + "@timestamp" + ] }, { "action": "two_factor_authentication.update_fallback", "description": "The two-factor authentication fallback for a user account was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "user", + "user_id", + "operation_type", + "user_agent", + "action", + "request_id", + "actor", + "actor_id" + ] }, { "action": "user.add_email", "description": "An email address was added to a user account.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account", + "fields": [ + "action", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "_document_id", + "actor_id", + "actor", + "email", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account" }, { "action": "user.async_delete", "description": "An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "created_at", + "user", + "@timestamp", + "_document_id", + "request_id", + "actor_id", + "operation_type", + "user_agent", + "action", + "request_access_security_header" + ] }, { "action": "user.audit_log_export", "description": "Audit log entries were exported.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "action", + "request_id", + "actor", + "@timestamp", + "_document_id", + "user_agent", + "user_id", + "operation_type", + "created_at" + ] }, { "action": "user.block_user", "description": "A user was blocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_id", + "_document_id", + "actor_id", + "@timestamp", + "user_agent", + "user", + "request_id", + "blocked_user", + "operation_type", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.change_password", "description": "A user changed their password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "actor", + "user", + "user_id", + "action", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.codespaces_trusted_repo_access_granted", "description": "Triggered when you allow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.codespaces_trusted_repo_access_revoked", "description": "Triggered when you disallow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.create", "description": "A new user account was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "email", + "user_id", + "operation_type", + "@timestamp", + "request_id", + "user", + "created_at", + "_document_id", + "user_agent", + "actor", + "actor_id", + "action", + "programmatic_access_type" + ] }, { "action": "user.create_integration_secret", "description": "A user secret for Codespaces was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.creation_rate_limit_exceeded", "description": "The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "user_agent", + "_document_id", + "operation_type", + "oauth_application_id", + "action", + "actor", + "actor_id", + "request_id", + "user_id", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.delete", "description": "A user account was destroyed by an asynchronous job.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "user_id", + "actor", + "actor_id", + "user", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.demote", "description": "A site administrator was demoted to an ordinary user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "oauth_application_id", + "action", + "user", + "created_at", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "_document_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.destroy", "description": "A user deleted his or her account, triggering user.async_delete.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "user", + "_document_id", + "created_at", + "user_agent", + "user_id", + "operation_type", + "actor_id", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.device_verification_failure", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user", + "user_agent", + "user_id", + "actor_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.device_verification_requested", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user_id", + "actor", + "operation_type", + "created_at", + "_document_id", + "@timestamp", + "user", + "actor_id", + "action", + "request_access_security_header" + ] }, { "action": "user.device_verification_success", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user", + "_document_id", + "action", + "operation_type", + "user_agent", + "created_at", + "request_id", + "actor", + "actor_id", + "user_id", + "request_access_security_header" + ] }, { "action": "user.disable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user_email.confirm_claim", "description": "An enterprise managed user claimed an email address.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "user_email.mark_as_unclaimed", "description": "N/A", "docs_reference_links": "An enterprise managed user unclaimed an email address.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "An, GitHub Help Documentation, managed, user, unclaimed, an, email, address." }, { "action": "user.enable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.failed_login", "description": "A user tried to sign in with an incorrect username, password, or two-factor authentication code.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "operation_type", + "request_id", + "created_at", + "_document_id", + "@timestamp", + "user", + "org_id", + "actor", + "actor_id", + "user_agent" + ] }, { "action": "user.forgot_password", "description": "A user requested a password reset.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials", + "fields": [ + "action", + "_document_id", + "user_agent", + "request_id", + "user", + "operation_type", + "@timestamp", + "email", + "created_at", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials" }, { "action": "user.grant_github_developer", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "created_at", + "user_agent", + "@timestamp", + "_document_id", + "user", + "user_id", + "actor", + "operation_type", + "request_id" + ] }, { "action": "user.hide_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.login", "description": "A user signed in.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user_id", + "actor_id", + "@timestamp", + "user", + "action", + "operation_type", + "_document_id", + "request_id", + "created_at", + "actor", + "passkey_nickname", + "request_access_security_header" + ] }, { "action": "user.logout", "description": "A user signed out.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.new_device_used", "description": "A user signed in from a new device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "action", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ] }, { "action": "user.promote", "description": "An ordinary user account was promoted to a site administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "actor", + "actor_id", + "user", + "@timestamp", + "created_at", + "user_agent", + "oauth_application_id", + "request_id", + "operation_type", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.recreate", "description": "A user's account was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user", + "action", + "actor_id", + "@timestamp", + "_document_id", + "request_id", + "user_id", + "created_at", + "actor", + "operation_type" + ] }, { "action": "user.remove_email", "description": "An email address was removed from a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "@timestamp", + "_document_id", + "request_id", + "user", + "user_id", + "operation_type", + "actor", + "actor_id", + "created_at", + "email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.remove_integration_secret", "description": "A user secret for Codespaces was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.rename", "description": "A username was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "request_id", + "actor_id", + "old_login", + "created_at", + "_document_id", + "actor", + "user_id", + "@timestamp", + "operation_type", + "user_agent", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.reset_password", "description": "A user reset their account password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "user", + "request_id", + "user_id", + "created_at", + "@timestamp", + "_document_id", + "actor", + "operation_type", + "request_access_security_header" + ] }, { "action": "user_session.country_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_id", + "action", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "user.show_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "@timestamp", + "_document_id", + "request_id", + "user_id", + "action", + "actor", + "user", + "operation_type", + "user_agent", + "actor_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.sign_in_from_unrecognized_device", "description": "A user signed in from an unrecognized device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "operation_type", + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.sign_in_from_unrecognized_device_and_location", "description": "A user signed in from an unrecognized device and location.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "request_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user_status.destroy", "description": "Triggered when you clear the status on your profile.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_id", + "actor", + "message", + "user", + "actor_id", + "created_at", + "request_id", + "limited_availability", + "action", + "emoji", + "operation_type", + "user_agent", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user_status.update", "description": "Triggered when you set or change the status on your profile.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status", + "fields": [ + "limited_availability", + "user", + "action", + "actor_id", + "message", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "emoji", + "org", + "actor", + "operation_type", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status" }, { "action": "user.suspend", "description": "A user account was suspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "operation_type", + "actor_id", + "user", + "user_agent", + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user_id", + "action", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.toggle_warn_private_email", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user", + "actor_id", + "@timestamp", + "operation_type", + "_document_id", + "user_agent", + "actor", + "action", + "user_id", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_failure", "description": "A 2FA challenge issued for a user account failed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "_document_id", + "user_agent", + "user", + "actor_id", + "actor", + "user_id", + "@timestamp", + "action", + "request_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_success", "description": "A 2FA challenge issued for a user account succeeded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_id", + "operation_type", + "actor_id", + "user", + "actor", + "user_agent", + "request_id", + "action", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_recover", "description": "A user used their 2FA recovery codes.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "user_agent", + "request_id", + "user", + "action", + "actor", + "actor_id", + "created_at", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_downloaded", "description": "A user downloaded 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "actor_id", + "user", + "request_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_printed", "description": "A user printed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "user_agent", + "request_id", + "user_id", + "created_at", + "_document_id", + "actor", + "actor_id", + "@timestamp" + ] }, { "action": "user.two_factor_recovery_codes_viewed", "description": "A user viewed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_agent", + "actor", + "user_id", + "action", + "created_at", + "user", + "operation_type", + "@timestamp", + "request_id", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_requested", "description": "A user was prompted for a two-factor authentication code.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication", + "fields": [ + "user", + "actor_id", + "action", + "user_agent", + "request_id", + "created_at", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "actor" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication" }, { "action": "user.unblock_user", "description": "A user was unblocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "_document_id", + "blocked_user", + "operation_type", + "actor", + "@timestamp", + "user_agent", + "user_id", + "user", + "created_at", + "request_access_security_header" + ] }, { "action": "user.unsuspend", "description": "A user account was unsuspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "user", + "action", + "user_agent", + "actor", + "oauth_application_id", + "operation_type", + "actor_id", + "created_at", + "@timestamp", + "user_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.update_integration_secret", "description": "A user secret for Codespaces was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.update_new_repository_default_branch_setting", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.bypass_protection_rules", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "workflows.comment_workflow_job", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { "action": "workflows.disable_workflow", "description": "A workflow was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.enable_workflow", "description": "A workflow was enabled, after previously being disabled by disable_workflow.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "workflows.pin_workflow", "description": "A workflow was pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.unpin_workflow", "description": "A workflow was unpinned after previously being pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/ghes-3.17/enterprise.json b/src/audit-logs/data/ghes-3.17/enterprise.json index 943197a5514d..72c57723a905 100644 --- a/src/audit-logs/data/ghes-3.17/enterprise.json +++ b/src/audit-logs/data/ghes-3.17/enterprise.json @@ -2,4382 +2,17609 @@ { "action": "account.billing_date_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "operation_type", + "user_agent", + "_document_id", + "created_at", + "action", + "request_id", + "actor", + "actor_id", + "org_id" + ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { "action": "account_recovery_token.confirm", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "token_id", + "user_id", + "user", + "actor", + "operation_type" + ] }, { "action": "account_recovery_token.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "token_id", + "user", + "request_id", + "_document_id", + "user_agent", + "actor", + "user_id", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "account_recovery_token.recover", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "actor", + "user_agent", + "request_id", + "action", + "_document_id", + "user_id", + "token_id" + ] }, { "action": "actions_cache.delete", "description": "A GitHub Actions cache was deleted using the REST API.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "user_id", + "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "api.request", "description": "An API request was made to an endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests", + "fields": [ + "user_agent", + "request_id", + "request_method", + "query_string", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "request_body", + "status_code", + "url_path", + "business", + "business_id", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "route", + "rate_limit_remaining", + "actor_is_bot" + ], "docs_reference_titles": "Streaming the audit log for your enterprise" }, { "action": "artifact.destroy", "description": "A workflow run artifact was manually deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_agent", + "actor_id", + "repo", + "repo_id", + "request_id", + "@timestamp", + "created_at", + "_document_id", + "operation_type", + "programmatic_access_type" + ] }, { "action": "audit_log_streaming.check", "description": "A manual check of the endpoint configured for audit log streaming was performed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "audit_log_stream_result", + "business_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "audit_log_stream_sink_details", + "request_access_security_header" + ] }, { "action": "audit_log_streaming.create", "description": "An endpoint was added for audit log streaming.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business_id", + "business", + "audit_log_stream_sink", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "audit_log_stream_id" + ] }, { "action": "audit_log_streaming.destroy", "description": "An audit log streaming endpoint was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "audit_log_stream_id", + "audit_log_stream_sink_details" + ] }, { "action": "audit_log_streaming.update", "description": "An endpoint configuration was updated for audit log streaming, such as the stream was paused, enabled, or disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "audit_log_stream_enabled", + "business_id", + "business", + "audit_log_stream_sink", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "new_s3_bucket", + "old_s3_bucket", + "secrets_updated", + "new_s3_arn_role", + "old_s3_arn_role", + "new_azure_blob_container", + "old_azure_blob_container", + "new_event_hub_instance", + "old_event_hub_instance", + "new_splunk_domain", + "old_splunk_domain", + "ssl_verify", + "old_gc_bucket" + ] }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.lock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "@timestamp", + "actor_id", + "operation_type", + "_document_id", + "request_id", + "actor", + "user", + "user_id", + "user_agent", + "created_at", + "action" + ] }, { "action": "billing.unlock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "operation_type", + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "billing.update_bill_cycle_day", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.add_admin", "description": "An enterprise owner was added to an enterprise.", "docs_reference_links": "/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise", + "fields": [ + "name", + "business", + "user", + "user_id", + "@timestamp", + "created_at", + "actor", + "actor_id", + "action", + "operation_type", + "request_id", + "business_id", + "_document_id", + "user_agent", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Inviting people to manage your enterprise" }, { "action": "business.add_organization", "description": "An organization was added to an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "operation_type", + "@timestamp", + "actor", + "business_id", + "org", + "action", + "user_agent", + "actor_id", + "name", + "created_at", + "request_id", + "_document_id", + "business", + "organization_upgrade", + "request_access_security_header" + ] }, { "action": "business_advanced_security.disabled", "description": "GitHub Advanced Security was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.disabled_for_new_user_namespace_repos", "description": "GitHub Advanced Security was disabled for new user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.enabled", "description": "GitHub Advanced Security was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.enabled_for_new_user_namespace_repos", "description": "GitHub Advanced Security was enabled for new user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business.advanced_security_policy_update", "description": "An enterprise owner created, updated, or removed a policy for GitHub Advanced Security.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "business.advanced_security_repo_admin_enablement_policy_update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business_advanced_security.user_namespace_repos_disabled", "description": "GitHub Advanced Security was disabled for user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.user_namespace_repos_enabled", "description": "GitHub Advanced Security was enabled for user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business.clear_actions_settings", "description": "An enterprise owner or site administrator cleared GitHub Actions policy settings for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.clear_default_repository_permission", "description": "An enterprise owner cleared the base repository permission policy setting for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-base-repository-permissions", + "fields": [ + "name", + "operation_type", + "business_id", + "user_agent", + "actor_id", + "request_id", + "actor", + "_document_id", + "business", + "action", + "@timestamp", + "created_at" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.clear_members_can_create_repos", "description": "An enterprise owner cleared a restriction on repository creation in organizations in the enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#setting-a-policy-for-repository-creation", + "fields": [ + "user_agent", + "actor_id", + "business_id", + "action", + "_document_id", + "request_id", + "name", + "business", + "visibility", + "created_at", + "actor", + "operation_type", + "@timestamp" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.code_scanning_autofix_policy_update", "description": "The policy for Code scanning autofix was updated for an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.code_scanning_autofix_third_party_tools_policy_update", "description": "The policy for Code scanning autofix third party tools was updated for an enterprise.", "docs_reference_links": "/code-security/getting-started/github-security-features#available-with-github-code-security", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#available-with-github-code-security" }, { "action": "business.code_security_enablement_policy_update", "description": "The policy for Code Security enablement was updated for an enterprise.", "docs_reference_links": "/code-security/getting-started/github-security-features#available-with-github-code-security", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#available-with-github-code-security" }, { "action": "business.create", "description": "An enterprise was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "_document_id", + "action", + "@timestamp", + "request_id", + "name", + "business", + "business_id", + "operation_type", + "actor", + "created_at", + "user_agent", + "request_access_security_header" + ] }, { "action": "business_dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for new repositories in your enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business_dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for new repositories in your enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.dependabot_alerts_repo_admin_enablement_policy_update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.disable_open_scim", "description": "SCIM provisioning for custom integrations that use the REST API was disabled for the enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business.disable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the enterprise was disabled.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Displaying IP addresses in the audit log for your enterprise" }, { "action": "business.disable_two_factor_requirement", "description": "The requirement for members to have two-factor authentication enabled to access an enterprise was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "@timestamp", + "actor", + "business", + "operation_type", + "created_at", + "user_agent", + "business_id", + "actor_id", + "name", + "_document_id", + "request_id" + ] }, { "action": "business.enable_open_scim", "description": "SCIM provisioning for custom integrations that use the REST API was enabled for the enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.enable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the enterprise was enabled.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Displaying IP addresses in the audit log for your enterprise" }, { "action": "business.enable_two_factor_requirement", "description": "The requirement for members to have two-factor authentication enabled to access an enterprise was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "actor", + "operation_type", + "created_at", + "business", + "business_id", + "name", + "_document_id", + "request_id", + "@timestamp" + ] }, { "action": "business.members_can_update_protected_branches.clear", "description": "An enterprise owner unset a policy for whether members of an enterprise can update protected branches on repositories for individual organizations. Organization owners can choose whether to allow updating protected branches settings.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_id", + "business", + "name", + "operation_type", + "user", + "user_agent", + "business_id", + "_document_id" + ] }, { "action": "business.members_can_update_protected_branches.disable", "description": "The ability for enterprise members to update branch protection rules was disabled. Only enterprise owners can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "business.members_can_update_protected_branches.enable", "description": "The ability for enterprise members to update branch protection rules was enabled. Enterprise owners and members can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "actor", + "operation_type", + "_document_id", + "business_id", + "user", + "@timestamp", + "business", + "actor_id", + "created_at", + "action", + "user_agent", + "request_id", + "user_id" + ] }, { "action": "business.remove_admin", "description": "An enterprise owner was removed from an enterprise.", "docs_reference_links": "/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise", + "fields": [ + "actor", + "operation_type", + "user_agent", + "business", + "business_id", + "@timestamp", + "created_at", + "request_id", + "action", + "name", + "actor_id", + "user_id", + "_document_id", + "user" + ], "docs_reference_titles": "Inviting people to manage your enterprise" }, { "action": "business.remove_organization", "description": "An organization was removed from an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "action", + "business", + "actor", + "actor_id", + "request_id", + "created_at", + "user_agent", + "business_id", + "operation_type", + "@timestamp", + "_document_id", + "name", + "org" + ] }, { "action": "business.rename_slug", "description": "The slug for the enterprise URL was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "name", + "business_id", + "user_agent", + "action", + "actor_id", + "operation_type", + "actor", + "@timestamp", + "created_at", + "business", + "_document_id" + ] }, { "action": "business.revoke_sso_session", "description": "The SAML single sign-on session for a member in an enterprise was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "business_id", + "user_agent", + "request_id", + "user", + "operation_type", + "actor", + "_document_id", + "actor_id", + "name", + "@timestamp", + "user_id", + "action", + "created_at", + "business" + ] }, { "action": "business_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the business level", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the business level", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_custom_pattern.create", "description": "An enterprise-level custom pattern was created for secret scanning.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "business_secret_scanning_custom_pattern.delete", "description": "An enterprise-level custom pattern was removed from secret scanning.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business_secret_scanning_custom_pattern.publish", "description": "An enterprise-level custom pattern was published for secret scanning.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your enterprise.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "business_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your enterprise.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "business_secret_scanning_custom_pattern.update", "description": "Changes to an enterprise-level custom pattern were saved and a dry run was executed for secret scanning.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business_secret_scanning.disable", "description": "Secret scanning was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning.disabled_for_new_repos", "description": "Secret scanning was disabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning.enable", "description": "Secret scanning was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning.enabled_for_new_repos", "description": "Secret scanning was enabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the enterprise level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "business_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the enterprise level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "business_secret_scanning_push_protection_custom_message.disable", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_custom_message.enable", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_custom_message.update", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.disable", "description": "Push protection for secret scanning was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.disabled_for_new_repos", "description": "Push protection for secret scanning was disabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.enable", "description": "Push protection for secret scanning was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.enabled_for_new_repos", "description": "Push protection for secret scanning was enabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed", "description": "The push protection setting was changed for a secret type for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "secret_type", + "secret_type_display_name", + "push_protection_setting" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business.secret_scanning_repo_admin_settings_policy_update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business.security_center_export_code_scanning_metrics", "description": "A CSV export was requested on the \"CodeQL pull request alerts\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.security_center_export_coverage", "description": "A CSV export was requested on the \"Coverage\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.security_center_export_overview_dashboard", "description": "A CSV export was requested on the \"Overview Dashboard\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.security_center_export_risk", "description": "A CSV export was requested on the \"Risk\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "business.set_actions_fork_pr_approvals_policy", "description": "The policy for requiring approvals for workflows from public forks was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "limit", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_fork_pr_workflows_policy", "description": "The policy for fork pull request workflows was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.sso_response", "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your enterprise. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "issuer", + "name", + "user_agent", + "action", + "@timestamp", + "_document_id", + "actor", + "business", + "business_id", + "actor_id", + "created_at", + "request_id", + "operation_type", + "request_access_security_header" + ] }, { "action": "business.update_actions_settings", "description": "An enterprise owner or site administrator updated GitHub Actions policy settings for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "updated_github_owned_allowed", + "updated_verified_allowed", + "updated_patterns", + "new_policy", + "old_policy", + "updated_access_policy" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.update_default_repository_permission", "description": "The base repository permission setting was updated for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-base-repository-permissions", + "fields": [ + "business_id", + "operation_type", + "user_agent", + "actor", + "actor_id", + "permission", + "action", + "created_at", + "@timestamp", + "request_id", + "name", + "_document_id", + "old_permission", + "business" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.update_member_repository_creation_permission", "description": "The repository creation setting was updated for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-creation", + "fields": [ + "created_at", + "_document_id", + "request_id", + "name", + "business_id", + "actor", + "actor_id", + "@timestamp", + "operation_type", + "permission", + "action", + "business", + "user_agent", + "visibility" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.update_member_repository_invitation_permission", "description": "The policy setting for enterprise members inviting outside collaborators to repositories was updated.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-inviting-outside-collaborators-to-repositories", + "fields": [ + "business_id", + "created_at", + "action", + "operation_type", + "@timestamp", + "request_id", + "permission", + "actor", + "actor_id", + "name", + "_document_id", + "user_agent", + "business" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.delete_logs", "description": "Logs in a check suite were deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "actor_id", + "operation_type", + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" + ] }, { "action": "code_scanning.alert_appeared_in_branch", "description": "Existing code scanning alerts appeared in a branch.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_became_fixed", "description": "Code scanning alerts were fixed.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_became_outdated", "description": "Code scanning alerts were closed as outdated (all configurations they were detected in were deleted).", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_numbers", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_by_user", "description": "Code scanning alerts were manually dismissed.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "actor_id", + "request_id", + "actor", + "org_id", + "org", + "business_id", + "business", + "alert_numbers", + "dismissal_approver_id" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_approved", "description": "Dismissal of code scanning alerts was approved.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_denied", "description": "Dismissal of code scanning alerts was denied.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_requested", "description": "Dismissal of code scanning alerts was requested.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_created", "description": "Code scanning alerts were seen for the first time.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_reappeared", "description": "Code scanning alerts that were previously fixed reappeared.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_reopened_by_user", "description": "Code scanning alerts that were previously dismissed were reopened.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "actor_id", + "request_id", + "actor", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code.search", "description": "A code search was run targeting an organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/search-github/github-code-search", + "fields": [ + "@timestamp", + "action", + "actor_id", + "business_id", + "query", + "org_id", + "user_id", + "_document_id", + "search_string" + ], "docs_reference_titles": "/search-github/github-code-search" }, { "action": "codespaces.allow_permissions", "description": "A codespace using custom permissions from its devcontainer.json file was launched.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "origin_repository", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.connect", "description": "Credentials for a codespace were refreshed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { "action": "codespaces.export_environment", "description": "A codespace was exported to a branch on GitHub.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "codespaces.restore", "description": "A codespace was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.start_environment", "description": "A codespace was started.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "org", + "owner", + "pull_request_id", + "machine_type", + "user_id", + "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "codespaces.suspend_environment", "description": "A codespace was stopped.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "copilot.cfb_seat_added", "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { "action": "copilot.cfb_seat_assignment_refreshed", "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_reused", "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_assignment_unassigned", "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "seat_assignment", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled_by_staff", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.user_access_reinstated", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "owner_type", + "actor_id", + "user_id", + "owner", + "org", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.user_access_revoked", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "owner_type", + "actor_id", + "user_id", + "owner", + "org", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "custom_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_property_definition.create", "description": "A new custom property definition was created.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.destroy", "description": "A custom property definition was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id", + "allowed_values" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.update", "description": "A custom property definition was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "value_type", + "required", + "default_value", + "old_allowed_values", + "allowed_values", + "definition_id", + "old_required", + "old_default_value", + "old_value_type", + "old_values_editable_by", + "values_editable_by", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.create", "description": "A repository's custom property value was manually set for the first time.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "definition_id", + "property_name", + "value", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.destroy", "description": "A repository's custom property value was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.update", "description": "A repository's custom property value was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_repository_access.repositories_updated", "description": "The repositories that Dependabot can access were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates.enable", "description": "Dependabot security updates were enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates_new_repos.enable", "description": "Dependabot security updates were enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph.enable", "description": "The dependency graph was enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph_new_repos.enable", "description": "The dependency graph was enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "discussion_post.destroy", "description": "Triggered when a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "request_id", + "team", + "created_at", + "user_id", + "@timestamp", + "number", + "org", + "title", + "actor", + "actor_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.destroy", "description": "Triggered when a reply to a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "actor_id", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user_id", + "actor", + "number", + "user", + "created_at", + "request_id", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.update", "description": "Triggered when a reply to a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "action", + "_document_id", + "request_id", + "org", + "@timestamp", + "actor_id", + "operation_type", + "user", + "user_id", + "org_id", + "user_agent", + "actor", + "number", + "team", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "discussion_post.update", "description": "Triggered when a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "created_at", + "_document_id", + "title", + "user", + "user_agent", + "org", + "operation_type", + "actor_id", + "@timestamp", + "actor", + "team", + "action", + "org_id", + "request_id", + "user_id", + "number" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "enterprise_announcement.create", "description": "A global announcement banner was created for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global-announcement-banner", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.destroy", "description": "A global announcement banner was removed from the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.update", "description": "A global announcement banner was updated for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "old_message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "enterprise_domain.approve", "description": "A domain was approved for an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#approving-a-domain-for-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_domain.create", "description": "A domain was added to an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#verifying-a-domain-for-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_domain.destroy", "description": "A domain was removed from an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#removing-an-approved-or-verified-domain", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_domain.verify", "description": "A domain was verified for an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#verifying-a-domain-for-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise.register_self_hosted_runner", "description": "A new GitHub Actions self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "enterprise.remove_self_hosted_runner", "description": "A GitHub Actions self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "enterprise.runner_group_created", "description": "A GitHub Actions self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "enterprise.runner_group_removed", "description": "A GitHub Actions self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "enterprise.runner_group_runner_removed", "description": "The REST API was used to remove a GitHub Actions self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "enterprise.runner_group_runners_added", "description": "A GitHub Actions self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "enterprise.runner_group_runners_updated", "description": "A GitHub Actions runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "enterprise.runner_group_updated", "description": "The configuration of a GitHub Actions self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "enterprise.self_hosted_runner_offline", "description": "The GitHub Actions runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "business_id", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "enterprise.self_hosted_runner_online", "description": "The GitHub Actions runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "business_id", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "enterprise.self_hosted_runner_updated", "description": "The GitHub Actions runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "business_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "enterprise_team.add_member", "description": "A new member was added to the enterprise team or an IdP group linked to an enterprise team, or an IdP group was linked to an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "user", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "enterprise_team.copilot_assignment", "description": "A license for GitHub Copilot was assigned to an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "enterprise_team.copilot_unassignment", "description": "A license for GitHub Copilot was unassigned from an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "enterprise_team.create", "description": "A new enterprise team was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "enterprise_team.destroy", "description": "An enterprise team was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "enterprise_team.remove_member", "description": "A member was removed from the enterprise team or an IdP group linked to an enterprise team, or an IdP group was unlinked from an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "user", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "enterprise_team.rename", "description": "The name of an enterprise team was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.delete", "description": "An environment was deleted.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_secret", "description": "A secret was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "external_group.add_member", "description": "A user was added to an external group.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "external_group", + "external_group_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_group.delete", "description": "An external group was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "scim_group_id" + ] }, { "action": "external_group.link", "description": "An external group was linked to a GitHub team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "external_group_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "external_group", + "programmatic_access_type", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_group.provision", "description": "An external group was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "external_group.remove_member", "description": "A user was removed from an external group.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "external_group", + "external_group_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "external_group.scim_api_failure", "description": "Failed external group SCIM API request.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_group_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_group.scim_api_success", "description": "Successful external group SCIM API request. Excludes GET API requests.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_group.unlink", "description": "An external group was unlinked to a GitHub team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "external_group_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "external_group" + ] }, { "action": "external_group.update", "description": "An external group was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_group.update_display_name", "description": "An external group's display name was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "external_group_id", + "external_group", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_identity.deprovision", "description": "An external identity was deprovisioned, suspending the linked GitHub user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "external_identity.provision", "description": "An external identity was created and linked to a GitHub user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "action", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "scim_user_id", + "request_access_security_header" + ] }, { "action": "external_identity.scim_api_failure", "description": "Failed external identity SCIM API request.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_user_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_identity.scim_api_success", "description": "Successful external identity SCIM API request. Excludes GET API requests.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_identity.update", "description": "An external identity was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "action", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "scim_user_id", + "request_access_security_header" + ] }, { "action": "gist.create", "description": "A gist was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "user", + "gist_id", + "@timestamp", + "created_at", + "operation_type", + "user_agent", + "actor", + "actor_id", + "visibility", + "action", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "gist.destroy", "description": "A gist was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "gist_id", + "visibility", + "created_at", + "_document_id", + "user", + "request_id", + "operation_type", + "actor", + "actor_id", + "action", + "user_agent", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "gist.visibility_change", "description": "The visibility of a gist was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "user", + "gist_id", + "actor_id", + "request_id", + "visibility", + "user_id", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "git.clone", "description": "A repository was cloned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.fetch", "description": "Changes were fetched from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.push", "description": "Changes were pushed to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git_signing_ssh_public_key.create", "description": "An SSH key was added to a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "git_signing_ssh_public_key.delete", "description": "An SSH key was removed from a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "explanation", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "github_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "github_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "github_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "gpg_key.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "created_at", + "user_id", + "@timestamp", + "user", + "operation_type", + "_document_id", + "actor", + "action", + "user_agent", + "request_access_security_header" + ] }, { "action": "gpg_key.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor", + "actor_id", + "user", + "action", + "created_at", + "_document_id", + "user_agent", + "@timestamp", + "request_access_security_header" + ] }, { "action": "hook.active_changed", "description": "A hook's active status was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "hook.config_changed", "description": "A hook's configuration was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "name", + "org", + "user_agent", + "request_id", + "hook_id", + "repo", + "repo_id", + "created_at", + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { "action": "hook.destroy", "description": "A hook was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", + "operation_type", + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.events_changed", "description": "A hook's configured events were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "operation_type", + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "integration.create", "description": "A GitHub App was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "@timestamp", + "actor", + "user_agent", + "actor_id", + "request_id", + "name", + "user_id", + "_document_id", + "integration", + "created_at", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration.destroy", "description": "A GitHub App was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "actor_id", + "request_id", + "@timestamp", + "name", + "integration", + "user", + "_document_id", + "action", + "operation_type", + "created_at", + "user_agent" + ] }, { "action": "integration.generate_client_secret", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation_request.close", "description": "A request to install a GitHub App was either approved or denied by an owner, or canceled by the member who opened the request.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "url", + "actor", + "actor_id", + "created_at", + "request_id", + "operation_type", + "@timestamp", + "integration", + "action", + "user_agent", + "reason", + "_document_id", + "org", + "org_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation_request.create", "description": "A member requested that an owner install a GitHub App.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "@timestamp", + "actor_id", + "org", + "_document_id", + "requester", + "action", + "user_agent", + "created_at", + "url", + "org_id", + "request_id", + "operation_type", + "actor", + "integration", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { "action": "integration.remove_client_secret", "description": "A client secret for a GitHub App was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "integration.revoke_all_tokens", "description": "All user tokens for a GitHub App were requested to be revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.revoke_tokens", "description": "Token(s) for a GitHub App were revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" }, { "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "ip_allow_list.disable", "description": "An IP allow list was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "actor", + "request_id", + "org", + "user_agent", + "_document_id", + "user_id", + "actor_id", + "created_at", + "org_id", + "action", + "@timestamp", + "user" + ] }, { "action": "ip_allow_list.disable_for_installed_apps", "description": "An IP allow list was disabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list.disable_user_level_enforcement", "description": "IP allow list user level enforcement was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ip_allow_list.enable", "description": "An IP allow list was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "business", + "user_id", + "request_id", + "actor", + "user", + "business_id", + "_document_id", + "action", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "org", + "created_at" + ] }, { "action": "ip_allow_list.enable_for_installed_apps", "description": "An IP allow list was enabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list.enable_user_level_enforcement", "description": "IP allow list user level enforcement was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ip_allow_list_entry.create", "description": "An IP address was added to an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "active", + "org", + "ip_allow_list_entry", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "actor_id", + "business_id", + "org_id", + "business", + "actor", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.destroy", "description": "An IP address was deleted from an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "ip_allow_list_entry", + "org", + "operation_type", + "created_at", + "active", + "action", + "@timestamp", + "business", + "business_id", + "user_agent", + "org_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.update", "description": "An IP address or its description was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "actor", + "org", + "action", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "ip_allow_list_entry", + "active", + "org_id", + "@timestamp" + ] }, { "action": "marketplace_agreement_signature.create", "description": "The GitHub Marketplace Developer Agreement was signed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "actor_id", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "created_at", + "action", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "marketplace_listing.approve", "description": "A listing was approved for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "secondary_category", + "actor", + "primary_category", + "user", + "@timestamp", + "_document_id", + "user_id", + "user_agent", + "operation_type", + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" + ] }, { "action": "marketplace_listing.change_category", "description": "A category for a listing for an app in GitHub Marketplace was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", + "@timestamp", + "integration", + "org_id", + "action", + "org", + "secondary_category", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ] }, { "action": "marketplace_listing.create", "description": "A listing for an app in GitHub Marketplace was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", + "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", + "actor", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "marketplace_listing.delist", "description": "A listing was removed from GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "created_at", + "secondary_category", + "operation_type", + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" + ] }, { "action": "marketplace_listing_plan.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "actor", + "action", + "operation_type", + "marketplace_listing", + "has_free_trial", + "user_agent", + "request_id", + "actor_id", + "yearly_price_in_cents", + "description", + "bullets", + "monthly_price_in_cents", + "marketplace_listing_plan", + "_document_id" + ] }, { "action": "marketplace_listing_plan.publish", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "marketplace_listing_plan", + "marketplace_listing", + "description", + "bullets", + "has_free_trial", + "created_at", + "actor_id", + "operation_type", + "_document_id", + "action", + "user_agent", + "request_id", + "actor", + "monthly_price_in_cents", + "yearly_price_in_cents", + "@timestamp" + ] }, { "action": "marketplace_listing_plan.retire", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "marketplace_listing_plan", + "_document_id", + "request_id", + "description", + "yearly_price_in_cents", + "@timestamp", + "created_at", + "actor_id", + "bullets", + "has_free_trial", + "marketplace_listing", + "user_agent", + "monthly_price_in_cents", + "action", + "operation_type" + ] }, { "action": "marketplace_listing_plan.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "monthly_price_in_cents", + "marketplace_listing", + "_document_id", + "action", + "description", + "bullets", + "yearly_price_in_cents", + "request_id", + "actor_id", + "has_free_trial", + "marketplace_listing_plan", + "user_agent", + "@timestamp", + "operation_type", + "actor", + "created_at" + ] }, { "action": "marketplace_listing.redraft", "description": "A listing was sent back to draft state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", + "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", + "actor", + "created_at", + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" + ] }, { "action": "marketplace_listing.reject", "description": "A listing was not accepted for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "merge_queue.pull_request_dequeued", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "merge_queue.pull_request_queue_jump", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.queue_cleared", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.update_settings", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "metered_billing_configuration.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "_document_id", + "user_id", + "action", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "metered_billing_configuration.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "metered_billing_configuration.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "org", + "created_at", + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" + ] }, { "action": "migration.create", "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org_id", + "_document_id", + "org", + "repo_id", + "action", + "actor", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "oauth_access.create", "description": "An OAuth access token was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, /authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token", + "fields": [ + "_document_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "user", + "user_id", + "created_at", + "action", + "actor_id", + "request_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, Managing your personal access tokens" }, { "action": "oauth_access.destroy", "description": "An OAuth access token was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps", + "fields": [ + "@timestamp", + "user_agent", + "action", + "operation_type", + "_document_id", + "actor", + "created_at", + "user", + "user_id", + "request_id", + "explanation", + "hashed_token", + "actor_id", + "token_scopes", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_access.regenerate", "description": "An OAuth access token was regenerated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "_document_id", + "created_at", + "@timestamp", + "operation_type", + "action", + "user_agent", + "request_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "oauth_application_name" + ] }, { "action": "oauth_access.revoke", "description": "An OAuth access token was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "request_access_security_header", + "hashed_token", + "token_id", + "token_scopes", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "oauth_access.update", "description": "An OAuth access token was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "action", + "@timestamp", + "user", + "user_agent", + "request_access_security_header" + ] }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.generate_client_secret", "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.suspend", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user_agent", + "org_id", + "org", + "operation_type", + "oauth_application_id", + "action", + "created_at", + "actor", + "actor_id", + "oauth_application", + "_document_id", + "request_id" + ] }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.unsuspend", "description": "An OAuth application was unsuspended for a user or organization account.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "operation_type", + "org_id", + "action", + "oauth_application_id", + "oauth_application", + "org", + "created_at", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_authorization.create", "description": "An authorization for an OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "operation_type", + "user_agent", + "user_id", + "actor", + "org_id", + "_document_id", + "request_id", + "action", + "@timestamp", + "created_at", + "actor_id", + "user", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_authorization.destroy", "description": "An authorization for an OAuth application was deleted.", "docs_reference_links": "/apps/using-github-apps/reviewing-your-authorized-integrations", + "fields": [ + "user_agent", + "_document_id", + "request_id", + "operation_type", + "@timestamp", + "actor", + "created_at", + "explanation", + "user", + "user_id", + "org_id", + "action", + "actor_id", + "token_scopes", + "actor_is_bot", + "oauth_application_name" + ], "docs_reference_titles": "Reviewing and revoking authorization of GitHub Apps" }, { "action": "oauth_authorization.update", "description": "An authorization for an OAuth application was updated.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "org_id", + "request_id", + "user_id", + "actor", + "actor_id", + "user_agent", + "@timestamp", + "operation_type", + "action", + "user", + "created_at", + "_document_id", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "org.accept_business_invitation", "description": "An invitation sent to an organization to join an enterprise was accepted.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.add_billing_manager", "description": "A billing manager was added to an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization", + "fields": [ + "operation_type", + "_document_id", + "user_agent", + "org", + "user_id", + "action", + "created_at", + "org_id", + "user", + "actor", + "actor_id", + "@timestamp", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization" }, { "action": "org.add_member", "description": "A user joined an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "permission", + "_document_id", + "org", + "operation_type", + "request_id", + "actor", + "user", + "@timestamp", + "created_at", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "org.add_outside_collaborator", "description": "An outside collaborator was added to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "inviter", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.add_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.advanced_security_disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_disabled_on_all_repos", "description": "GitHub Advanced Security was disabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_on_all_repos", "description": "GitHub Advanced Security was enabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_entity_policy_update", "description": "An enterprise owner updated the GitHub Advanced Security access policy for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "new_policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_disabled", "description": "An enterprise owner prevented GitHub Advanced Security features from being enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_enabled", "description": "An enterprise owner allowed GitHub Advanced Security features to be enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.async_delete", "description": "A user initiated a background job to delete an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "request_id", + "org", + "org_id", + "user_agent", + "created_at" + ] }, { "action": "org.billing_signup_error", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_agent", + "action", + "@timestamp", + "actor_id", + "org_id", + "_document_id", + "actor", + "org", + "operation_type" + ] }, { "action": "org.block_user", "description": "An organization owner blocked a user from accessing the organization's repositories.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization", + "fields": [ + "actor", + "user_agent", + "org_id", + "created_at", + "_document_id", + "blocked_user", + "action", + "operation_type", + "actor_id", + "org", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization" }, { "action": "org.cancel_business_invitation", "description": "An invitation for an organization to join an enterprise was revoked", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "initiated_from" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.cancel_invitation", "description": "An invitation sent to a user to join an organization was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "org_id", + "request_id", + "email", + "@timestamp", + "actor", + "action", + "operation_type", + "user_agent", + "org", + "invitation_id", + "_document_id", + "created_at", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.clear_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "org.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_third_party_tools_disabled", "description": "Autofix for third party tools for code scanning alerts was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_third_party_tools_enabled", "description": "Autofix for third party tools for code scanning alerts was enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.codeql_disabled", "description": "Code scanning using the default setup was disabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codeql_enabled", "description": "Code scanning using the default setup was enabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.config.disable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "request_id", + "org", + "action", + "operation_type", + "_document_id", + "actor", + "actor_id", + "@timestamp", + "user_agent", + "org_id", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "operation_type", + "@timestamp", + "created_at", + "user_agent", + "action", + "actor_id", + "org", + "_document_id", + "actor", + "org_id", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "_document_id", + "operation_type", + "actor_id", + "org_id", + "action", + "created_at", + "actor", + "org", + "@timestamp", + "user_agent", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "actor", + "org", + "org_id", + "request_id", + "operation_type", + "action", + "user_agent" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor", + "actor_id", + "org_id", + "action", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "org", + "created_at", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor_id", + "request_id", + "action", + "created_at", + "user_agent", + "actor", + "_document_id", + "org_id", + "operation_type", + "org", + "@timestamp" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.confirm_business_invitation", "description": "An invitation for an organization to join an enterprise was confirmed.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.create", "description": "An organization was created.", "docs_reference_links": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch", + "fields": [ + "request_id", + "org", + "actor_id", + "actor", + "action", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "org_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch" }, { "action": "org.delete", "description": "An organization was deleted by a user or staff.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "@timestamp", + "_document_id", + "created_at", + "actor", + "org_id", + "org", + "action", + "actor_id", + "operation_type", + "request_id", + "request_access_security_header" + ] }, { "action": "org.disable_member_team_creation_permission", "description": "Team creation was limited to owners.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "actor", + "@timestamp", + "_document_id", + "user", + "user_id", + "action", + "created_at", + "actor_id", + "user_agent", + "org", + "org_id", + "operation_type", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.disable_reader_discussion_creation_permission", "description": "An organization owner limited discussion creation to users with at least triage permission in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.disable_saml", "description": "SAML single sign-on was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "sso_url", + "issuer", + "action", + "@timestamp", + "_document_id", + "created_at", + "org", + "operation_type" + ] }, { "action": "org.disable_two_factor_requirement", "description": "A two-factor authentication requirement was disabled for the organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "org_id", + "action", + "actor", + "actor_id", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "user_agent" + ] }, { "action": "org.display_commenter_full_name_disabled", "description": "An organization owner disabled the display of a commenter's full name in an organization. Members cannot see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "user", + "action", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "user_agent", + "org", + "actor_id", + "org_id", + "request_id" + ] }, { "action": "org.display_commenter_full_name_enabled", "description": "An organization owner enabled the display of a commenter's full name in an organization. Members can see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_agent", + "request_id", + "actor", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "user", + "action", + "actor_id", + "org_id" + ] }, { "action": "org.enable_member_team_creation_permission", "description": "Team creation by members was allowed.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "org_id", + "user", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "user_agent", + "actor_id", + "org", + "request_id", + "action", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.enable_reader_discussion_creation_permission", "description": "An organization owner allowed users with read access to create discussions in an organization", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.enable_saml", "description": "SAML single sign-on was enabled for the organization.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization", + "fields": [ + "actor_id", + "action", + "operation_type", + "actor", + "sso_url", + "org", + "created_at", + "@timestamp", + "issuer", + "org_id", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Enabling and testing SAML single sign-on for your organization" }, { "action": "org.enable_two_factor_requirement", "description": "Two-factor authentication is now required for the organization.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "actor_id", + "action", + "_document_id", + "org", + "@timestamp", + "actor", + "user_agent", + "org_id", + "operation_type", + "created_at", + "request_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.integration_manager_added", "description": "An organization owner granted a member access to manage all GitHub Apps owned by an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "org_id", + "manager", + "@timestamp", + "request_id", + "actor", + "operation_type", + "_document_id", + "actor_id", + "org", + "action", + "created_at" + ] }, { "action": "org.integration_manager_removed", "description": "An organization owner removed access to manage all GitHub Apps owned by an organization from an organization member.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "@timestamp", + "org", + "user_agent", + "request_id", + "action", + "actor", + "actor_id", + "manager", + "operation_type", + "created_at", + "_document_id" + ] }, { "action": "org.invite_member", "description": "A new user was invited to join an organization.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization", + "fields": [ + "org", + "user_id", + "invitation_id", + "org_id", + "user", + "action", + "operation_type", + "_document_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "actor_id", + "request_id", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization" }, { "action": "org.invite_to_business", "description": "An organization was invited to join an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.members_can_update_protected_branches.disable", "description": "The ability for enterprise members to update protected branches was disabled. Only enterprise owners can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "org.members_can_update_protected_branches.enable", "description": "The ability for enterprise members to update protected branches was enabled. Members of an organization can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "org_id", + "user_agent", + "actor_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "request_id", + "_document_id", + "actor", + "user", + "action" + ] }, { "action": "org.rate_limited_invites", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "org_id", + "action", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org" + ] }, { "action": "org.recreate", "description": "An organization was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "action", + "operation_type", + "_document_id", + "user_agent", + "actor_id", + "@timestamp", + "request_id", + "actor", + "org_id" + ] }, { "action": "org.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization", + "fields": [ + "actor", + "operation_type", + "@timestamp", + "_document_id", + "request_id", + "org", + "org_id", + "action", + "created_at", + "user_agent", + "actor_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "org.remove_billing_manager", "description": "A billing manager was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "user_id", + "user_agent", + "org_id", + "user", + "action", + "_document_id", + "operation_type", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "created_at" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.remove_member", "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "actor_id", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", + "created_at", + "user", + "operation_type", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.remove_outside_collaborator", "description": "An outside collaborator was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user", + "org_id", + "created_at", + "request_id", + "@timestamp", + "action", + "operation_type", + "user_agent", + "_document_id", + "actor", + "actor_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "org.remove_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization", + "fields": [ + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor_id", + "org", + "created_at", + "actor", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "org.rename", "description": "An organization was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "@timestamp", + "org", + "action", + "actor", + "old_login", + "org_id", + "request_id", + "actor_id", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "org.restore_member", "description": "An organization member was restored.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization", + "fields": [ + "user", + "actor", + "user_id", + "_document_id", + "action", + "created_at", + "org_id", + "operation_type", + "request_id", + "@timestamp", + "user_agent", + "org", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization" }, { "action": "org.runner_group_created", "description": "A self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_removed", "description": "A self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runner_removed", "description": "The REST API was used to remove a self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "org.runner_group_runners_added", "description": "A self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runners_updated", "description": "A runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "org.runner_group_updated", "description": "The configuration of a self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_disabled", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_enabled", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_updated", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_disable", "description": "Push protection for secret scanning was disabled.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_enable", "description": "Push protection for secret scanning was enabled.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_disable", "description": "Push protection for secret scanning was disabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_enable", "description": "Push protection for secret scanning was enabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed", "description": "The push protection setting was changed for a secret type for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "secret_type", + "secret_type_display_name", + "push_protection_setting" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "org.security_center_export_code_scanning_metrics", "description": "A CSV export was requested on the CodeQL pull request alerts page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "org.security_center_export_coverage", "description": "A CSV export was requested on the Coverage page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_overview_dashboard", "description": "A CSV export was requested on the Overview Dashboard page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_risk", "description": "A CSV export was requested on the Risk page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "org_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { "action": "org.set_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "org_id", + "operation_type", + "actor", + "actor_id", + "@timestamp", + "request_id", + "created_at", + "org", + "action" + ] }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "org.sso_response", "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "user_agent", + "actor", + "actor_id", + "org_id", + "@timestamp", + "org", + "issuer", + "business", + "operation_type", + "created_at", + "request_id", + "business_id", + "_document_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.transform", "description": "A user account was converted into an organization.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/converting-a-user-into-an-organization", + "fields": [ + "actor", + "_document_id", + "request_id", + "operation_type", + "actor_id", + "org_id", + "org", + "action", + "@timestamp", + "created_at", + "user_agent", + "owner", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/converting-a-user-into-an-organization" }, { "action": "org.unblock_user", "description": "A user was unblocked from an organization.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization", + "fields": [ + "oauth_application_id", + "_document_id", + "blocked_user", + "action", + "operation_type", + "@timestamp", + "request_id", + "created_at", + "actor", + "actor_id", + "org", + "org_id", + "user_agent" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization" }, { "action": "org.update_actions_settings", "description": "An organization owner or site administrator updated GitHub Actions policy settings for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "updated_allowed_types", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization" }, { "action": "org.update_default_repository_permission", "description": "The default repository permission level for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "operation_type", + "created_at", + "org", + "org_id", + "request_id", + "@timestamp", + "user_agent", + "permission", + "actor_id", + "old_permission", + "_document_id", + "programmatic_access_type" + ] }, { "action": "org.update_member", "description": "A person's role was changed from owner to member or member to owner.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "org_id", + "created_at", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "actor_id", + "old_permission", + "permission", + "actor", + "user_agent", + "operation_type", + "org" + ] }, { "action": "org.update_member_repository_creation_permission", "description": "The create repository permission for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "@timestamp", + "request_id", + "actor_id", + "permission", + "created_at", + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" + ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "org.update_saml_provider_settings", "description": "An organization's SAML provider settings were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "sso_url", + "actor_id", + "operation_type", + "@timestamp", + "issuer", + "org", + "_document_id", + "actor", + "org_id", + "created_at", + "request_id", + "action" + ] }, { "action": "org.update_terms_of_service", "description": "An organization changed between the Standard Terms of Service and the GitHub Customer Agreement.", "docs_reference_links": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement", + "fields": [ + "request_id", + "org_id", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org", + "action", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement" }, { "action": "organization_domain.approve", "description": "A domain was approved for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization" }, { "action": "organization_domain.create", "description": "A domain was added to an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "created_at", + "_document_id", + "domain_name", + "action", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "user_agent", + "actor" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "organization_domain.destroy", "description": "A domain was removed from an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain", + "fields": [ + "action", + "domain_name", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "created_at" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain" }, { "action": "organization_domain.verify", "description": "A domain was verified for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "operation_type", + "domain_name", + "@timestamp", + "user_agent", + "request_id", + "actor", + "action", + "created_at", + "_document_id", + "actor_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "packages.package_deleted", "description": "An entire package was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_published", "description": "A package was published or republished to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "ecosystem", + "version_count", + "is_republished", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "packages.package_version_deleted", "description": "A specific package version was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "version", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "ecosystem", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_version_published", "description": "A specific package version was published or republished to a package.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "ecosystem", + "package", + "version", + "actor_id", + "user_agent", + "is_republished", + "actor", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "passkey.register", "description": "A new passkey was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "passkey.remove", "description": "A new passkey was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "payment_method.create", "description": "A new payment method was added, such as a new credit card or PayPal account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", + "_document_id", + "action", + "actor", + "actor_id", + "@timestamp", + "created_at", + "request_access_security_header" + ] }, { "action": "payment_method.remove", "description": "A payment method was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", + "operation_type", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "payment_method.update", "description": "An existing payment method was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", + "@timestamp", + "action", + "actor", + "org", + "user_agent", + "_document_id", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.access_restriction_disabled", "description": "The configured restriction for access to resources via personal access tokens was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_restriction_enabled", "description": "The configured restriction for access to resources via personal access tokens was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_restriction_reset", "description": "The configured restriction for access to resources via personal access tokens was reset and delegated to organizations.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.auto_approve_grant_requests_disabled", "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "personal_access_token.auto_approve_grant_requests_enabled", "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "personal_access_token.auto_approve_grant_requests_reset", "description": "Triggered when the enterprise delegates to the organizations when to require approval for fine-grained personal access tokens before the tokens can access organization resources.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "personal_access_token.create", "description": "Triggered when you create a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "personal_access_token.credential_regenerated", "description": "Triggered when you regenerate a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.credential_revoked", "description": "A fine-grained personal access token was revoked by GitHub Advanced Security.", "docs_reference_links": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users", + "fields": [ + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users" }, { "action": "personal_access_token.destroy", "description": "Triggered when you delete a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "explanation", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.expiration_limit_set", "description": "A personal access token expiration limit was set.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "token_expiration", + "old_token_expiration", + "exempt_administrators", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.expiration_limit_unset", "description": "A personal access token expiration limit was unset.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "old_token_expiration", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.update", "description": "A fine-grained personal access token was updated.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens" }, { "action": "premium_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { "action": "project.access", "description": "A project board visibility was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "user_agent", + "operation_type", + "user", + "created_at", + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" + ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { "action": "project_collaborator.add", "description": "A collaborator was added to a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "org", + "org_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "public_project", + "project_name", + "project_role", + "old_project_role", + "request_access_security_header" + ] }, { "action": "project_collaborator.remove", "description": "A collaborator was removed from a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project_collaborator.update", "description": "A project collaborator's permission level was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "public_project", + "project_name", + "collaborator_type", + "project_role", + "old_project_role", + "project_id", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project.create", "description": "A project board was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user", + "_document_id", + "request_id", + "user_id", + "user_agent", + "@timestamp", + "actor_id", + "action", + "created_at", + "actor" + ] }, { "action": "project.delete", "description": "A project board was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "actor_id", + "operation_type", + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" + ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { "action": "project.link", "description": "A repository was linked to a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "action", + "actor_id", + "org_id", + "user_agent", + "request_id", + "actor", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" + ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { "action": "project.rename", "description": "A project board was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", + "@timestamp", + "repo", + "_document_id", + "user_agent", + "org_id", + "business_id", + "actor", + "repo_id", + "org", + "business" + ] }, { "action": "project.unlink", "description": "A repository was unlinked from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "operation_type", + "actor", + "action", + "created_at", + "actor_id", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "org", + "org_id" + ] }, { "action": "project.update_org_permission", "description": "The project's base-level permission for all organization members was changed or removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" + ] }, { "action": "project.update_team_permission", "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org_id", + "operation_type", + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" + ] }, { "action": "project.update_user_permission", "description": "A user was added to or removed from a project board or had their permission level changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "operation_type", + "@timestamp", + "actor_id", + "user", + "user_agent", + "actor", + "created_at", + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" + ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project.visibility_private", "description": "A project's visibility was changed from public to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name" + ] }, { "action": "project.visibility_public", "description": "A project's visibility was changed from private to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name", + "request_access_security_header" + ] }, { "action": "protected_branch.authorized_users_teams", "description": "The users, teams, or integrations allowed to bypass a branch protection were changed.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "fields": [ + "repo", + "action", + "org_id", + "user_agent", + "name", + "created_at", + "_document_id", + "operation_type", + "actor", + "repo_id", + "org", + "request_id", + "actor_id", + "oauth_application_id", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches" }, { "action": "protected_branch.branch_allowances", "description": "A protected branch allowance was given to a specific user, team or integration.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "name", + "authorized_actors", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "protected_branch.create", "description": "Branch protection was enabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "repo_id", + "user_id", + "@timestamp", + "user_agent", + "repo", + "name", + "org_id", + "user", + "_document_id", + "request_id", + "actor", + "actor_id", + "org", + "action", + "created_at", + "authorized_actor_names", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.destroy", "description": "Branch protection was disabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "repo", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "repo_id", + "org_id", + "operation_type", + "action", + "user_agent", + "created_at", + "_document_id", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.dismiss_stale_reviews", "description": "Enforcement of dismissing stale pull requests was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "dismiss_stale_reviews_on_push", + "org_id", + "action", + "created_at", + "request_id", + "_document_id", + "@timestamp", + "actor_id", + "repo_id", + "operation_type", + "actor", + "repo", + "org", + "name", + "programmatic_access_type" + ] }, { "action": "protected_branch.dismissal_restricted_users_teams", "description": "Enforcement of restricting users and/or teams who can dismiss reviews was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "actor", + "oauth_application_id", + "authorized_actors_only", + "authorized_actors", + "created_at", + "user_agent", + "name", + "_document_id", + "org_id", + "request_id", + "@timestamp", + "actor_id", + "org", + "action", + "operation_type", + "programmatic_access_type" + ] }, { "action": "protected_branch.policy_override", "description": "A branch protection requirement was overridden by a repository administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "created_at", + "actor", + "reasons", + "@timestamp", + "before", + "after", + "actor_id", + "repo", + "operation_type", + "user_agent", + "branch", + "overridden_codes", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "referrer", + "business", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "rule_suite_id" + ] }, { "action": "protected_branch.rejected_ref_update", "description": "A branch update attempt was rejected.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "@timestamp", + "created_at", + "_document_id", + "business", + "org_id", + "operation_type", + "request_id", + "repo_id", + "actor", + "branch", + "before", + "overridden_codes", + "after", + "action", + "reasons", + "actor_id", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "actor_is_bot", + "rule_suite_id" + ] }, { "action": "protected_branch.update_admin_enforced", "description": "Branch protection was enforced for repository administrators.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "admin_enforced", + "operation_type", + "user_agent", + "actor", + "org", + "name", + "repo", + "@timestamp", + "action", + "repo_id", + "org_id", + "_document_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_allow_deletions_enforcement_level", "description": "Branch deletion was enabled or disabled for a protected branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "operation_type", + "request_id", + "repo", + "@timestamp", + "org_id", + "org", + "action", + "allow_deletions_enforcement_level", + "_document_id", + "created_at", + "actor_id", + "user_agent", + "actor", + "repo_id", + "request_access_security_header" + ] }, { "action": "protected_branch.update_allow_force_pushes_enforcement_level", "description": "Force pushes were enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "actor_id", + "name", + "_document_id", + "actor", + "repo", + "operation_type", + "request_id", + "allow_force_pushes_enforcement_level", + "@timestamp", + "org", + "action", + "created_at", + "user_agent", + "repo_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_ignore_approvals_from_contributors", "description": "Ignoring of approvals from contributors to a pull request was enabled or disabled for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "ignore_approvals_from_contributors", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "protected_branch.update_linear_history_requirement_enforcement_level", "description": "Required linear commit history was enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "operation_type", + "actor", + "linear_history_requirement_enforcement_level", + "repo", + "request_id", + "name", + "org_id", + "repo_id", + "org", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_lock_allows_fetch_and_merge", "description": "Fork syncing was enabled or disabled for a read-only branch", "docs_reference_links": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "lock_allows_fetch_and_merge", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_lock_branch_enforcement_level", "description": "The enforcement of a branch lock was updated.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "enforcement_level", + "lock_branch_enforcement_level", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { "action": "protected_branch.update_name", "description": "A branch name pattern was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "old_name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "protected_branch.update_pull_request_reviews_enforcement_level", "description": "Enforcement of required pull request reviews was updated for a branch. Can be 0 (deactivated), 1 (non-admins), or 2 (everyone).", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "org_id", + "_document_id", + "actor_id", + "@timestamp", + "business_id", + "request_id", + "pull_request_reviews_enforcement_level", + "org", + "repo", + "action", + "business", + "user_agent", + "created_at", + "repo_id", + "operation_type", + "actor", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_code_owner_review", "description": "Enforcement of required code owner review was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "created_at", + "require_code_owner_review", + "operation_type", + "name", + "user_agent", + "action", + "@timestamp", + "actor", + "actor_id", + "repo", + "request_id", + "org", + "repo_id", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_last_push_approval", "description": "Someone other than the person who pushed the last code-modifying commit to the branch must approve pull requests for the branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "require_last_push_approval", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging" }, { "action": "protected_branch.update_required_approving_review_count", "description": "Enforcement of the required number of approvals before merging was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "required_approving_review_count", + "repo", + "request_id", + "repo_id", + "created_at", + "actor", + "operation_type", + "user_agent", + "name", + "org_id", + "action", + "actor_id", + "_document_id", + "org", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_required_status_checks_enforcement_level", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "user_agent", + "@timestamp", + "_document_id", + "name", + "repo", + "action", + "business_id", + "repo_id", + "business", + "actor_id", + "operation_type", + "created_at", + "request_id", + "required_status_checks_enforcement_level", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_signature_requirement_enforcement_level", "description": "Enforcement of required commit signing was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "name", + "@timestamp", + "created_at", + "_document_id", + "request_id", + "repo_id", + "org", + "org_id", + "action", + "actor", + "actor_id", + "signature_requirement_enforcement_level", + "repo", + "user_agent", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_strict_required_status_checks_policy", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "_document_id", + "org", + "@timestamp", + "created_at", + "repo_id", + "org_id", + "user_agent", + "name", + "actor", + "repo", + "operation_type", + "action", + "strict_required_status_checks_policy", + "programmatic_access_type" + ] }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verify", "description": "A user account's SSH key or a repository's deploy key was verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "pull_request.close", "description": "A pull request was closed without being merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request" }, { "action": "pull_request.converted_to_draft", "description": "A pull request was converted to a draft.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft" }, { "action": "pull_request.create", "description": "A pull request was created.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request" }, { "action": "pull_request.create_review_request", "description": "A review was requested on a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.in_progress", "description": "A pull request was marked as in progress.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "pull_request.indirect_merge", "description": "A pull request was considered merged because the pull request's commits were merged into the target branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request.merge", "description": "A pull request was merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request" }, { "action": "pull_request.ready_for_review", "description": "A pull request was marked as ready for review.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review" }, { "action": "pull_request.rebase", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "pull_request_url", + "pull_request_title", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request.remove_review_request", "description": "A review request was removed from a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.reopen", "description": "A pull request was reopened after previously being closed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.create", "description": "A review comment was added to a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "comment_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request_review_comment.delete", "description": "A review comment on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "actor", + "@timestamp", + "_document_id", + "repo", + "created_at", + "request_id", + "comment_id", + "actor_id", + "repo_id", + "action", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.update", "description": "A review comment on a pull request was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "request_id", + "actor_id", + "action", + "created_at", + "actor", + "_document_id", + "@timestamp", + "comment_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review.delete", "description": "A review on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request_review.dismiss", "description": "A review on a pull request was dismissed.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review" }, { "action": "pull_request_review.submit", "description": "A review on a pull request was submitted.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.change_merge_setting", "description": "Pull request merge options were changed for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", + "@timestamp", + "_document_id", + "actor_id", + "operation_type", + "action", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { "action": "repo.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_third_party_tools_disabled", "description": "Autofix for third party tools for code scanning alerts was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_third_party_tools_enabled", "description": "Autofix for third party tools for code scanning alerts was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { "action": "repo.code_scanning_delegated_alert_dismissal_disabled", "description": "Prevention of direct alert dismissal for code scanning was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "repo.code_scanning_delegated_alert_dismissal_enabled", "description": "Prevention of direct alert dismissal for code scanning was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "repo.codeql_disabled", "description": "Code scanning using the default setup was disabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_enabled", "description": "Code scanning using the default setup was enabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "query_suite", + "threat_model", + "languages", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_updated", "description": "Code scanning using the default setup was updated for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "query_suite", + "threat_model", + "languages", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "visibility", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" }, { "action": "repo.create_actions_secret", "description": "A GitHub Actions secret was created for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { "action": "repo.disk_archive", "description": "A repository was archived on disk.", "docs_reference_links": "/repositories/archiving-a-github-repository/archiving-repositories", + "fields": [ + "actor_id", + "repo", + "operation_type", + "@timestamp", + "created_at", + "request_id", + "_document_id", + "repo_id", + "actor", + "action", + "user_agent" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository/archiving-repositories" }, { "action": "repo.download_zip", "description": "A source code archive of a repository was downloaded as a ZIP file.", "docs_reference_links": "/repositories/working-with-files/using-files/downloading-source-code-archives", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/working-with-files/using-files/downloading-source-code-archives" }, { "action": "repo.hide_from_discovery", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_agent", + "org", + "operation_type", + "visibility", + "repo_id", + "created_at", + "actor", + "action", + "@timestamp", + "org_id", + "request_id", + "repo", + "_document_id" + ] }, { "action": "repo.noindex", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo_id", + "request_id", + "action", + "_document_id", + "@timestamp", + "actor_id", + "created_at", + "user", + "operation_type", + "actor", + "user_agent", + "repo", + "user_id", + "public_repo" + ] }, { "action": "repo.override_unlock", "description": "The repository was unlocked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_build", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "action", + "_document_id", + "actor_id", + "repo", + "repo_id", + "operation_type", + "user_agent", + "request_id", + "created_at", + "visibility", + "actor", + "user_id" + ] }, { "action": "repo.pages_cname", "description": "A GitHub Pages custom domain was modified in a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "@timestamp", + "visibility", + "repo", + "repo_id", + "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", + "created_at", + "_document_id", + "action", + "operation_type", + "old_cname", + "programmatic_access_type" + ] }, { "action": "repo.pages_create", "description": "A GitHub Pages site was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "_document_id", + "user_id", + "visibility", + "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", + "actor", + "repo", + "programmatic_access_type" + ] }, { "action": "repo.pages_destroy", "description": "A GitHub Pages site was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "user_id", + "action", + "request_id", + "user", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", + "visibility", + "operation_type", + "repo_id", + "programmatic_access_type" + ] }, { "action": "repo.pages_https_redirect_disabled", "description": "HTTPS redirects were disabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "actor_id", + "repo_id", + "_document_id", + "user_agent", + "actor", + "visibility", + "user_id", + "request_id", + "repo", + "@timestamp", + "operation_type", + "action", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_https_redirect_enabled", "description": "HTTPS redirects were enabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "user_id", + "created_at", + "visibility", + "actor", + "actor_id", + "user", + "operation_type", + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" + ] }, { "action": "repo.pages_private", "description": "A GitHub Pages site visibility was changed to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_public", "description": "A GitHub Pages site visibility was changed to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete", "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete_restore", "description": "A GitHub Pages site that was previously soft-deleted was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_source", "description": "A GitHub Pages source was modified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "repo_id", + "user", + "_document_id", + "request_id", + "visibility", + "repo", + "created_at", + "action", + "programmatic_access_type" + ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.remove_integration_secret", "description": "A Codespaces or Dependabot secret was deleted for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "repo.remove_topic", "description": "A topic was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", + "actor", + "business", + "request_id", + "repo", + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" + ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { "action": "repo.require_login", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "visibility", + "operation_type", + "repo", + "_document_id", + "user", + "user_id", + "actor", + "actor_id", + "user_agent", + "repo_id", + "action", + "@timestamp", + "request_id" + ] }, { "action": "repo.restore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "action", + "_document_id", + "actor_id", + "user", + "operation_type", + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" + ] }, { "action": "repo.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "repo_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "repo.staff_unlock", "description": "An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "created_at", + "actor", + "repo_id", + "action", + "org", + "org_id", + "request_id", + "repo", + "operation_type" + ] }, { "action": "repo.temporary_access_granted", "description": "Temporary access was enabled for a repository.", "docs_reference_links": "/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing user-owned repositories in your enterprise" }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { "action": "repo.transfer_outgoing", "description": "A repository was transferred to another repository network.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.transfer_start", "description": "A user sent a request to transfer a repository to another user or organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "operation_type", + "user_id", + "request_id", + "user", + "action", + "user_agent", + "created_at", + "actor", + "visibility", + "repo_id", + "actor_id", + "repo", + "request_access_security_header" + ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.update_actions_access_settings", "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "old_policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.update_actions_settings", "description": "A repository administrator changed GitHub Actions policy settings for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.update_default_branch", "description": "The default branch for a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.update_member", "description": "A user's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "_document_id", + "actor", + "repo_id", + "created_at", + "oauth_application_id", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", + "visibility", + "old_permission", + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_branch_protection_evaluation.disable", "description": "Branch protections were disabled for the repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_branch_protection_evaluation.enable", "description": "Branch protections were enabled for this repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_image.create", "description": "An image to represent a repository was uploaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", + "action", + "request_id", + "actor", + "content_type", + "repo", + "@timestamp", + "_document_id", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "repository_image.destroy", "description": "An image to represent a repository was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", + "_document_id", + "actor", + "repo_id", + "user_agent", + "repo", + "user", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "repository_invitation.accept", "description": "An invitation to join a repository was accepted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "created_at", + "request_id", + "repo", + "invitee", + "operation_type", + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.cancel", "description": "An invitation to join a repository was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "inviter", + "action", + "operation_type", + "_document_id", + "repo_id", + "repo", + "@timestamp", + "user_agent", + "invitee", + "created_at", + "request_id", + "actor", + "actor_id", + "request_access_security_header" + ] }, { "action": "repository_invitation.create", "description": "An invitation to join a repository was sent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", + "repo", + "created_at", + "user_agent", + "repo_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.reject", "description": "An invitation to join a repository was declined.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "_document_id", + "actor", + "invitee", + "action", + "@timestamp", + "request_id", + "actor_id", + "operation_type", + "created_at", + "inviter", + "user_agent", + "repo_id" + ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { "action": "repository_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning.disable", "description": "Secret scanning was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "public_repo", + "programmatic_access_type" + ], "docs_reference_titles": "About secret scanning" }, { "action": "repository_secret_scanning.enable", "description": "Secret scanning was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "repository_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.disable", "description": "Secret scanning push protection was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.enable", "description": "Secret scanning push protection was enabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_security_configuration.applied", "description": "A code security configuration was applied to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.failed", "description": "A code security configuration failed to attach to the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.removed", "description": "A code security configuration was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.removed_by_settings_change", "description": "A code security configuration was removed due to a change in repository or enterprise settings.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "restrict_notification_delivery.disable", "description": "Email notification restrictions for an organization or enterprise were disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "restrict_notification_delivery.enable", "description": "Email notification restrictions for an organization or enterprise were enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "secret_scanning_alert.create", "description": "GitHub detected a secret and created a secret scanning alert.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning_alert.reopen", "description": "A secret scanning alert was reopened.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type_display_name" + ] }, { "action": "secret_scanning_alert.resolve", "description": "A secret scanning alert was resolved.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "resolution", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_access_security_header" + ] }, { "action": "secret_scanning_alert.revoke", "description": "A secret scanning alert was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "secret_scanning_alert.validate", "description": "A secret scanning alert was validated.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "previous_validity", + "current_validity", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning.disable", "description": "Secret scanning was disabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning.enable", "description": "Secret scanning was enabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.disable", "description": "Secret scanning was disabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.enable", "description": "Secret scanning was enabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_push_protection.bypass", "description": "Triggered when a user bypasses the push protection on a secret detected by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#bypassing-push-protection-for-a-secret", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "push_protection_bypass_reason", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_reviewer", + "request_reviewer_id" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.approve", "description": "A request to bypass secret scanning push protection was approved by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.deny", "description": "A request to bypass secret scanning push protection was denied by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header", + "request_reviewer_comment" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.request", "description": "A user requested to bypass secret scanning push protection.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "secret_scanning_scan.completed", "description": "A secret scanning scan has completed on this repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "repo_id", + "org_id", + "business_id", + "source", + "type", + "source_slug", + "type_slug", + "started_at", + "completed_at", + "repo", + "public_repo", + "org", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "secret_types", + "custom_pattern_name", + "custom_pattern_scope" + ], "docs_reference_titles": "About secret scanning" }, { "action": "security_configuration.create", "description": "A security configuration was created", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "security_configuration_default.delete", "description": "A default security configuration setting for new repositories was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "security_configuration_default.update", "description": "A default security configuration setting for new repositories was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "security_configuration.delete", "description": "A security configuration was deleted", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "security_configuration_policy.update", "description": "A security configuration policy was updated", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enforcement", + "security_configuration_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "security_configuration.update", "description": "A security configuration was updated", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "security_key.register", "description": "A security key was registered for an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "created_at", + "user_id", + "action", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user_agent", + "request_access_security_header" + ] }, { "action": "security_key.remove", "description": "A security key was removed from an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "operation_type", + "_document_id", + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "action", + "created_at", + "user", + "request_access_security_header" + ] }, { "action": "sponsors.agreement_sign", "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.fiscal_host_change", "description": "The fiscal host for a GitHub Sponsors listing was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_disable", "description": "A GitHub Sponsors account was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { "action": "sponsors.sponsored_developer_redraft", "description": "A GitHub Sponsors account was returned to draft state from approved state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id", + "actor", + "actor_id", + "user_id" + ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsored_developer_update_newsletter_send", "description": "Triggered when you send an email update to your sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors", + "fields": [ + "request_id", + "actor", + "action", + "user_agent", + "operation_type", + "_document_id", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { "action": "sponsors.update_tier_repository", "description": "A GitHub Sponsors tier changed access for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.update_tier_welcome_message", "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.waitlist_join", "description": "You join the waitlist to join GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "request_id", + "actor", + "user_id", + "user_agent", + "actor_id", + "action", + "operation_type", + "created_at", + "user", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.withdraw_agreement_signature", "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ssh_certificate_authority.create", "description": "An SSH certificate authority for an organization or enterprise was created.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "@timestamp", + "_document_id", + "fingerprint", + "operation_type", + "openssh_public_key", + "org_id", + "actor", + "created_at", + "org", + "action", + "user_agent", + "actor_id", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_authority.destroy", "description": "An SSH certificate authority for an organization or enterprise was deleted.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "created_at", + "_document_id", + "fingerprint", + "operation_type", + "actor", + "org_id", + "openssh_public_key", + "org", + "action", + "user_agent", + "actor_id", + "@timestamp", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.disable", "description": "The requirement for members to use SSH certificates to access an organization resources was disabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "user", + "user_agent", + "operation_type", + "_document_id", + "request_id", + "org", + "org_id", + "created_at", + "actor", + "action", + "user_id", + "business", + "business_id", + "@timestamp", + "actor_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.enable", "description": "The requirement for members to use SSH certificates to access an organization resources was enabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "actor_id", + "user_id", + "org", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user", + "action", + "org_id", + "created_at", + "user_agent" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "staff.set_domain_token_expiration", "description": "The verification code expiry time for an organization or enterprise domain was set.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "business_id", + "token_expires_at", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "staff.unverify_domain", "description": "An organization or enterprise domain was unverified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "staff.verify_domain", "description": "An organization or enterprise domain was verified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "domain_name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "successor_invitation.accept", "description": "Triggered when you accept a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.cancel", "description": "Triggered when you cancel a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.create", "description": "Triggered when you create a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.decline", "description": "Triggered when you decline a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "successor_invitation.revoke", "description": "Triggered when you revoke a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "team.add_member", "description": "A member of an organization was added to a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team", + "fields": [ + "user_agent", + "request_id", + "org_id", + "user_id", + "team", + "user", + "@timestamp", + "actor_id", + "created_at", + "operation_type", + "_document_id", + "org", + "action", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team" }, { "action": "team.add_repository", "description": "A team was given access and permissions to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "team", + "action", + "operation_type", + "request_id", + "created_at", + "@timestamp", + "org", + "repo", + "actor_id", + "_document_id", + "repo_id", + "user_agent", + "org_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "team.change_parent_team", "description": "A child team was created or a child team's parent was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy", + "fields": [ + "org", + "@timestamp", + "created_at", + "_document_id", + "team", + "action", + "operation_type", + "actor", + "request_id", + "actor_id", + "user_agent", + "org_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy" }, { "action": "team.change_privacy", "description": "A team's privacy level was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/changing-team-visibility", + "fields": [ + "user_agent", + "request_id", + "org", + "action", + "team", + "created_at", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "actor", + "_document_id" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility" }, { "action": "team.create", "description": "A new team is created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "org_id", + "user_agent", + "team", + "org", + "actor", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "team.demote_maintainer", "description": "A user was demoted from a team maintainer to a team member.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member" }, { "action": "team.destroy", "description": "A team was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "team", + "org_id", + "actor_id", + "actor", + "action", + "@timestamp", + "user_agent", + "request_id", + "operation_type", + "_document_id", + "programmatic_access_type" + ] }, { "action": "team_discussions.clear", "description": "An organization owner cleared the setting to allow team discussions for an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "business_id", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "actor_id", + "user", + "business", + "action", + "request_id", + "created_at", + "user_id", + "_document_id" + ] }, { "action": "team_discussions.disable", "description": "Team discussions were disabled for an organization.", "docs_reference_links": "/organizations/organizing-members-into-teams/disabling-team-discussions-for-your-organization", + "fields": [ + "org_id", + "action", + "operation_type", + "request_id", + "actor", + "org", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "_document_id" + ], "docs_reference_titles": "Organizations and teams documentation" }, { "action": "team_discussions.enable", "description": "Team discussions were enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "@timestamp", + "action", + "_document_id", + "user_agent", + "user_id", + "business_id", + "request_id", + "user", + "business", + "operation_type", + "actor", + "created_at" + ] }, { "action": "team.promote_maintainer", "description": "A user was promoted from a team member to a team maintainer.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer" }, { "action": "team.remove_member", "description": "An organization member was removed from a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team", + "fields": [ + "request_id", + "operation_type", + "created_at", + "actor_id", + "org", + "org_id", + "team", + "user_id", + "actor", + "user", + "action", + "@timestamp", + "user_agent", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team" }, { "action": "team.remove_repository", "description": "A repository was removed from a team's control.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "org_id", + "repo", + "repo_id", + "action", + "_document_id", + "actor", + "@timestamp", + "actor_id", + "user_agent", + "created_at", + "team", + "org", + "operation_type", + "programmatic_access_type" + ] }, { "action": "team.rename", "description": "A team's name was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "user_agent", + "created_at", + "team", + "operation_type", + "actor_id", + "org", + "action", + "request_id", + "actor", + "org_id", + "@timestamp", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "team_sync_tenant.disabled", "description": "Team synchronization with a tenant was disabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "action", + "created_at", + "actor", + "request_id", + "org_id", + "actor_id", + "operation_type", + "_document_id", + "@timestamp", + "org", + "user_agent" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team_sync_tenant.enabled", "description": "Team synchronization with a tenant was enabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "org_id", + "business_id", + "actor", + "created_at", + "user_agent", + "@timestamp", + "operation_type", + "business", + "actor_id", + "org", + "request_id", + "action", + "_document_id" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team.update_repository_permission", "description": "A team's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "team", + "org_id", + "@timestamp", + "org", + "_document_id", + "old_permission", + "request_id", + "repo", + "action", + "repo_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "permission", + "new_repo_permission", + "new_repo_base_role", + "old_repo_permission", + "old_repo_base_role", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "trusted_device.register", "description": "A new trusted device was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "trusted_device.remove", "description": "A trusted device was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "two_factor_account_recovery.abort", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "action", + "request_id", + "user_id", + "@timestamp", + "_document_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "two_factor_account_recovery.complete", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "created_at", + "user_id", + "operation_type", + "user", + "_document_id", + "user_agent", + "action" + ] }, { "action": "two_factor_account_recovery.ignore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "created_at", + "user_id", + "operation_type", + "@timestamp", + "user", + "action" + ] }, { "action": "two_factor_account_recovery.staff_approve", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "action", + "_document_id" + ] }, { "action": "two_factor_account_recovery.staff_decline", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user", + "created_at", + "request_id", + "actor_id", + "_document_id" + ] }, { "action": "two_factor_account_recovery.start", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "user_id", + "action", + "_document_id", + "request_access_security_header" + ] }, { "action": "two_factor_account_recovery.two_factor_destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "user", + "_document_id", + "request_id" + ] }, { "action": "two_factor_authentication.add_factor", "description": "A secondary authentication factor was added to a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.disabled", "description": "Two-factor authentication was disabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/disabling-two-factor-authentication-for-your-personal-account", + "fields": [ + "actor", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "actor_id", + "created_at", + "operation_type", + "request_id", + "@timestamp", + "request_access_security_header" + ], "docs_reference_titles": "Disabling two-factor authentication for your personal account" }, { "action": "two_factor_authentication.enabled", "description": "Two-factor authentication was enabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "operation_type", + "user_agent", + "action", + "created_at", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Configuring two-factor authentication" }, { "action": "two_factor_authentication.password_reset_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user", + "user_id", + "action", + "@timestamp", + "request_id", + "_document_id", + "user_agent" + ] }, { "action": "two_factor_authentication.recovery_codes_regenerated", "description": "Two factor recovery codes were regenerated for a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "action", + "user", + "user_agent", + "actor_id", + "@timestamp", + "created_at" + ] }, { "action": "two_factor_authentication.remove_factor", "description": "A secondary authentication factor was removed from a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.sign_in_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "operation_type", + "user_id", + "user", + "user_agent", + "created_at", + "_document_id", + "action", + "@timestamp" + ] }, { "action": "two_factor_authentication.update_fallback", "description": "The two-factor authentication fallback for a user account was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "user", + "user_id", + "operation_type", + "user_agent", + "action", + "request_id", + "actor", + "actor_id" + ] }, { "action": "user.add_email", "description": "An email address was added to a user account.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account", + "fields": [ + "action", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "_document_id", + "actor_id", + "actor", + "email", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account" }, { "action": "user.async_delete", "description": "An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "created_at", + "user", + "@timestamp", + "_document_id", + "request_id", + "actor_id", + "operation_type", + "user_agent", + "action", + "request_access_security_header" + ] }, { "action": "user.audit_log_export", "description": "Audit log entries were exported.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "action", + "request_id", + "actor", + "@timestamp", + "_document_id", + "user_agent", + "user_id", + "operation_type", + "created_at" + ] }, { "action": "user.block_user", "description": "A user was blocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_id", + "_document_id", + "actor_id", + "@timestamp", + "user_agent", + "user", + "request_id", + "blocked_user", + "operation_type", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.change_password", "description": "A user changed their password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "actor", + "user", + "user_id", + "action", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.codespaces_trusted_repo_access_granted", "description": "Triggered when you allow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.codespaces_trusted_repo_access_revoked", "description": "Triggered when you disallow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.correct_password_from_unrecognized_device", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "user_agent", + "created_at", + "user", + "action", + "operation_type", + "request_id", + "user_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.correct_password_from_unrecognized_device_and_location", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "_document_id", + "@timestamp", + "created_at", + "user_agent", + "operation_type", + "request_id", + "user_id", + "action", + "request_access_security_header" + ] }, { "action": "user.correct_password_from_unrecognized_location", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "created_at", + "_document_id", + "user_agent", + "user_id", + "@timestamp", + "user", + "action", + "request_access_security_header" + ] }, { "action": "user.create", "description": "A new user account was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "email", + "user_id", + "operation_type", + "@timestamp", + "request_id", + "user", + "created_at", + "_document_id", + "user_agent", + "actor", + "actor_id", + "action", + "programmatic_access_type" + ] }, { "action": "user.create_integration_secret", "description": "A user secret for Codespaces was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.creation_rate_limit_exceeded", "description": "The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "user_agent", + "_document_id", + "operation_type", + "oauth_application_id", + "action", + "actor", + "actor_id", + "request_id", + "user_id", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.delete", "description": "A user account was destroyed by an asynchronous job.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "user_id", + "actor", + "actor_id", + "user", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.demote", "description": "A site administrator was demoted to an ordinary user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "oauth_application_id", + "action", + "user", + "created_at", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "_document_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.destroy", "description": "A user deleted his or her account, triggering user.async_delete.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "user", + "_document_id", + "created_at", + "user_agent", + "user_id", + "operation_type", + "actor_id", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.device_verification_failure", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user", + "user_agent", + "user_id", + "actor_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.device_verification_requested", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user_id", + "actor", + "operation_type", + "created_at", + "_document_id", + "@timestamp", + "user", + "actor_id", + "action", + "request_access_security_header" + ] }, { "action": "user.device_verification_success", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user", + "_document_id", + "action", + "operation_type", + "user_agent", + "created_at", + "request_id", + "actor", + "actor_id", + "user_id", + "request_access_security_header" + ] }, { "action": "user.disable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user_email.confirm_claim", "description": "An enterprise managed user claimed an email address.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "user_email.mark_as_unclaimed", "description": "N/A", "docs_reference_links": "An enterprise managed user unclaimed an email address.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "An, GitHub Help Documentation, managed, user, unclaimed, an, email, address." }, { "action": "user.enable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.failed_login", "description": "A user tried to sign in with an incorrect username, password, or two-factor authentication code.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "operation_type", + "request_id", + "created_at", + "_document_id", + "@timestamp", + "user", + "org_id", + "actor", + "actor_id", + "user_agent" + ] }, { "action": "user.flag_as_large_scale_contributor", "description": "A user account was flagged as a large scale contributor. Only contributions from public repositories the user owns will be shown in their contribution graph, in order to prevent timeouts.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "operation_type", + "@timestamp", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "user_agent", + "created_at" + ] }, { "action": "user.forgot_password", "description": "A user requested a password reset.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials", + "fields": [ + "action", + "_document_id", + "user_agent", + "request_id", + "user", + "operation_type", + "@timestamp", + "email", + "created_at", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials" }, { "action": "user.grant_github_developer", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "created_at", + "user_agent", + "@timestamp", + "_document_id", + "user", + "user_id", + "actor", + "operation_type", + "request_id" + ] }, { "action": "user.hide_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.login", "description": "A user signed in.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user_id", + "actor_id", + "@timestamp", + "user", + "action", + "operation_type", + "_document_id", + "request_id", + "created_at", + "actor", + "passkey_nickname", + "request_access_security_header" + ] }, { "action": "user.logout", "description": "A user signed out.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.minimize_comment", "description": "A comment made by a user was minimized.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "actor", + "actor_id", + "@timestamp", + "created_at", + "operation_type", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.new_device_used", "description": "A user signed in from a new device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "action", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ] }, { "action": "user.partial_two_factor_email_followup", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "_document_id", + "action", + "@timestamp", + "created_at", + "user", + "request_access_security_header" + ] }, { "action": "user.promote", "description": "An ordinary user account was promoted to a site administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "actor", + "actor_id", + "user", + "@timestamp", + "created_at", + "user_agent", + "oauth_application_id", + "request_id", + "operation_type", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.recreate", "description": "A user's account was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user", + "action", + "actor_id", + "@timestamp", + "_document_id", + "request_id", + "user_id", + "created_at", + "actor", + "operation_type" + ] }, { "action": "user.remove_email", "description": "An email address was removed from a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "@timestamp", + "_document_id", + "request_id", + "user", + "user_id", + "operation_type", + "actor", + "actor_id", + "created_at", + "email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.remove_integration_secret", "description": "A user secret for Codespaces was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.remove_large_scale_contributor_flag", "description": "A user account was no longer flagged as a large scale contributor.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.rename", "description": "A username was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "request_id", + "actor_id", + "old_login", + "created_at", + "_document_id", + "actor", + "user_id", + "@timestamp", + "operation_type", + "user_agent", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.report_abuse", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "user_agent", + "request_id", + "action", + "@timestamp", + "created_at", + "org_id", + "_document_id", + "actor", + "actor_id", + "user", + "operation_type" + ] }, { "action": "user.report_content", "description": "Triggered when you report an issue or pull request, or a comment on an issue, pull request, or commit.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam", + "fields": [ + "org_id", + "request_id", + "user", + "user_agent", + "action", + "created_at", + "actor", + "operation_type", + "actor_id", + "user_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam" }, { "action": "user.reset_password", "description": "A user reset their account password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "user", + "request_id", + "user_id", + "created_at", + "@timestamp", + "_document_id", + "actor", + "operation_type", + "request_access_security_header" + ] }, { "action": "user_session.country_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_id", + "action", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "user.show_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "@timestamp", + "_document_id", + "request_id", + "user_id", + "action", + "actor", + "user", + "operation_type", + "user_agent", + "actor_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.sign_in_from_unrecognized_device", "description": "A user signed in from an unrecognized device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "operation_type", + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.sign_in_from_unrecognized_device_and_location", "description": "A user signed in from an unrecognized device and location.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "request_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.sign_in_from_unrecognized_location", "description": "A user signed in from an unrecognized location.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "action", + "operation_type", + "user_agent", + "user", + "_document_id", + "actor", + "created_at", + "actor_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user_status.destroy", "description": "Triggered when you clear the status on your profile.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_id", + "actor", + "message", + "user", + "actor_id", + "created_at", + "request_id", + "limited_availability", + "action", + "emoji", + "operation_type", + "user_agent", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user_status.update", "description": "Triggered when you set or change the status on your profile.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status", + "fields": [ + "limited_availability", + "user", + "action", + "actor_id", + "message", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "emoji", + "org", + "actor", + "operation_type", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status" }, { "action": "user.suspend", "description": "A user account was suspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "operation_type", + "actor_id", + "user", + "user_agent", + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user_id", + "action", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.toggle_warn_private_email", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user", + "actor_id", + "@timestamp", + "operation_type", + "_document_id", + "user_agent", + "actor", + "action", + "user_id", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_failure", "description": "A 2FA challenge issued for a user account failed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "_document_id", + "user_agent", + "user", + "actor_id", + "actor", + "user_id", + "@timestamp", + "action", + "request_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_success", "description": "A 2FA challenge issued for a user account succeeded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_id", + "operation_type", + "actor_id", + "user", + "actor", + "user_agent", + "request_id", + "action", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_recover", "description": "A user used their 2FA recovery codes.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "user_agent", + "request_id", + "user", + "action", + "actor", + "actor_id", + "created_at", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_downloaded", "description": "A user downloaded 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "actor_id", + "user", + "request_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_printed", "description": "A user printed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "user_agent", + "request_id", + "user_id", + "created_at", + "_document_id", + "actor", + "actor_id", + "@timestamp" + ] }, { "action": "user.two_factor_recovery_codes_viewed", "description": "A user viewed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_agent", + "actor", + "user_id", + "action", + "created_at", + "user", + "operation_type", + "@timestamp", + "request_id", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_requested", "description": "A user was prompted for a two-factor authentication code.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication", + "fields": [ + "user", + "actor_id", + "action", + "user_agent", + "request_id", + "created_at", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "actor" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication" }, { "action": "user.unblock_user", "description": "A user was unblocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "_document_id", + "blocked_user", + "operation_type", + "actor", + "@timestamp", + "user_agent", + "user_id", + "user", + "created_at", + "request_access_security_header" + ] }, { "action": "user.unminimize_comment", "description": "A comment made by a user was unminimized.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user_agent", + "_document_id", + "actor_id", + "user", + "user_id", + "operation_type", + "request_id", + "actor", + "action", + "created_at" + ] }, { "action": "user.unsuspend", "description": "A user account was unsuspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "user", + "action", + "user_agent", + "actor", + "oauth_application_id", + "operation_type", + "actor_id", + "created_at", + "@timestamp", + "user_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.update_integration_secret", "description": "A user secret for Codespaces was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.update_new_repository_default_branch_setting", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.bypass_protection_rules", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "workflows.cancel_workflow_run", "description": "A workflow run was cancelled.", "docs_reference_links": "/actions/managing-workflow-runs/canceling-a-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "cancelled_at", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Canceling a workflow" }, { "action": "workflows.comment_workflow_job", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.completed_workflow_run", "description": "A workflow status changed to completed. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "completed_at", + "conclusion", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Viewing workflow run history" }, { "action": "workflows.created_workflow_run", "description": "A workflow run was create. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/learn-github-actions/understanding-github-actions#create-an-example-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Understanding GitHub Actions" }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { "action": "workflows.disable_workflow", "description": "A workflow was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.enable_workflow", "description": "A workflow was enabled, after previously being disabled by disable_workflow.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "workflows.pin_workflow", "description": "A workflow was pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.prepared_workflow_job", "description": "A workflow job was started. Includes the list of secrets that were provided to the job. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/using-workflows/events-that-trigger-workflows", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "business_id", + "business", + "workflow_run_id", + "job_name", + "runner_labels", + "is_hosted_runner", + "environment_name", + "secrets_passed", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp", + "runner_owner_type", + "job_workflow_ref", + "calling_workflow_refs", + "calling_workflow_shas", + "imposer_repo" + ], "docs_reference_titles": "Events that trigger workflows" }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.rerun_workflow_run", "description": "A workflow run was re-run.", "docs_reference_links": "/actions/managing-workflow-runs/re-running-workflows-and-jobs", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "rerun_type", + "check_run_id", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Re-running workflows and jobs" }, { "action": "workflows.unpin_workflow", "description": "A workflow was unpinned after previously being pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/ghes-3.17/organization.json b/src/audit-logs/data/ghes-3.17/organization.json index 2c45cac8def5..a3ade8393e69 100644 --- a/src/audit-logs/data/ghes-3.17/organization.json +++ b/src/audit-logs/data/ghes-3.17/organization.json @@ -2,4066 +2,16601 @@ { "action": "account.billing_date_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "operation_type", + "user_agent", + "_document_id", + "created_at", + "action", + "request_id", + "actor", + "actor_id", + "org_id" + ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { "action": "actions_cache.delete", "description": "A GitHub Actions cache was deleted using the REST API.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "user_id", + "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "advisory_credit.accept", "description": "Credit was accepted for a security advisory.", "docs_reference_links": "/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory" }, { "action": "advisory_credit.create", "description": "Someone was added to the credit section of a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "advisory_credit.decline", "description": "Credit was declined for a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "advisory_credit.destroy", "description": "Someone was removed from the credit section of a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "artifact.destroy", "description": "A workflow run artifact was manually deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_agent", + "actor_id", + "repo", + "repo_id", + "request_id", + "@timestamp", + "created_at", + "_document_id", + "operation_type", + "programmatic_access_type" + ] }, { "action": "auto_approve_personal_access_token_requests.disable", "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources. See also: personal_access_token.auto_approve_grant_requests_disabled", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization" }, { "action": "auto_approve_personal_access_token_requests.enable", "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval. See also: personal_access_token.auto_approve_grant_requests_enabled", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization" }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.lock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "@timestamp", + "actor_id", + "operation_type", + "_document_id", + "request_id", + "actor", + "user", + "user_id", + "user_agent", + "created_at", + "action" + ] }, { "action": "billing.unlock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "operation_type", + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.delete_logs", "description": "Logs in a check suite were deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "actor_id", + "operation_type", + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" + ] }, { "action": "code_scanning.alert_appeared_in_branch", "description": "Existing code scanning alerts appeared in a branch.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_became_fixed", "description": "Code scanning alerts were fixed.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_became_outdated", "description": "Code scanning alerts were closed as outdated (all configurations they were detected in were deleted).", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_numbers", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_by_user", "description": "Code scanning alerts were manually dismissed.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "actor_id", + "request_id", + "actor", + "org_id", + "org", + "business_id", + "business", + "alert_numbers", + "dismissal_approver_id" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_approved", "description": "Dismissal of code scanning alerts was approved.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_denied", "description": "Dismissal of code scanning alerts was denied.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_requested", "description": "Dismissal of code scanning alerts was requested.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_created", "description": "Code scanning alerts were seen for the first time.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_reappeared", "description": "Code scanning alerts that were previously fixed reappeared.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_reopened_by_user", "description": "Code scanning alerts that were previously dismissed were reopened.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "actor_id", + "request_id", + "actor", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "codespaces.allow_permissions", "description": "A codespace using custom permissions from its devcontainer.json file was launched.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "origin_repository", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.attempted_to_create_from_prebuild", "description": "An attempt to create a codespace from a prebuild was made.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "owner", + "pull_request_id", + "repository", + "repository_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "codespaces.business_enablement_updated", "description": "Enterprise setting for Codespaces ownership was updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enablement", + "organization_names", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization" }, { "action": "codespaces.connect", "description": "Credentials for a codespace were refreshed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { "action": "codespaces.export_environment", "description": "A codespace was exported to a branch on GitHub.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "codespaces.policy_group_created", "description": "Policies were applied to codespaces in an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.policy_group_deleted", "description": "Policies were removed from codespaces in an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "codespaces.policy_group_updated", "description": "Policies were updated for codespaces in an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "codespaces.restore", "description": "A codespace was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.start_environment", "description": "A codespace was started.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "org", + "owner", + "pull_request_id", + "machine_type", + "user_id", + "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "codespaces.suspend_environment", "description": "A codespace was stopped.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "commit_comment.destroy", "description": "A commit comment was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "repo", + "org", + "org_id", + "created_at", + "@timestamp", + "operation_type", + "repo_id", + "actor_id", + "request_id", + "_document_id", + "user_agent", + "action", + "programmatic_access_type" + ] }, { "action": "commit_comment.update", "description": "A commit comment was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "repo_id", + "actor", + "org", + "request_id", + "action", + "@timestamp", + "repo", + "org_id", + "actor_id", + "created_at", + "user_agent", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "copilot.access_revoked", "description": "Copilot access was revoked for the organization or enterprise due to its Copilot subscription ending, an issue with billing the entity, the entity being marked spammy, or the entity being suspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "reason", + "plan", + "org_id", + "owner", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "copilot.cfb_org_settings_changed", "description": "Copilot feature settings were changed at the organization level.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_added", "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { "action": "copilot.cfb_seat_assignment_refreshed", "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_reused", "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_assignment_unassigned", "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "seat_assignment", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled_by_staff", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.cfb_seat_management_changed", "description": "The seat management setting was changed at the organization level to either enable or disable Copilot access for all members of the organization, or to enable Copilot access for selected members or teams.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_value", + "new_value", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "copilot.content_exclusion_changed", "description": "The excluded paths for GitHub Copilot were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "excluded_paths", + "owner_type", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.custom_instructions_created", "description": "Copilot custom instructions were created for the organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "custom_instructions" + ] }, { "action": "copilot.custom_instructions_updated", "description": "Copilot custom instructions were updated for the organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "custom_instructions" + ] }, { "action": "copilot.knowledge_base_created", "description": "A knowledge base was created in the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.knowledge_base_deleted", "description": "A knowledge base was deleted from the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.knowledge_base_updated", "description": "A knowledge base was updated in the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.plan_changed", "description": "The plan for GitHub Copilot was updated.", "docs_reference_links": "/billing/managing-billing-for-github-copilot/about-billing-for-github-copilot", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_plan", + "plan", + "business_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "About billing for GitHub Copilot" }, { "action": "copilot.plan_downgrade_scheduled", "description": "The plan for GitHub Copilot was scheduled to be downgraded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "owner", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "current_plan", + "scheduled_plan" + ] }, { "action": "copilot.user_access_reinstated", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "owner_type", + "actor_id", + "user_id", + "owner", + "org", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.user_access_revoked", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "owner_type", + "actor_id", + "user_id", + "owner", + "org", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "custom_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_property_definition.create", "description": "A new custom property definition was created.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.destroy", "description": "A custom property definition was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id", + "allowed_values" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.update", "description": "A custom property definition was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "value_type", + "required", + "default_value", + "old_allowed_values", + "allowed_values", + "definition_id", + "old_required", + "old_default_value", + "old_value_type", + "old_values_editable_by", + "values_editable_by", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.create", "description": "A repository's custom property value was manually set for the first time.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "definition_id", + "property_name", + "value", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.destroy", "description": "A repository's custom property value was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.update", "description": "A repository's custom property value was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_repository_access.repositories_updated", "description": "The repositories that Dependabot can access were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates.enable", "description": "Dependabot security updates were enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates_new_repos.enable", "description": "Dependabot security updates were enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph.enable", "description": "The dependency graph was enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph_new_repos.enable", "description": "The dependency graph was enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "discussion_comment.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "repo_id", + "request_id", + "action", + "actor", + "org_id", + "_document_id", + "actor_id", + "operation_type", + "@timestamp", + "created_at", + "user_agent", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "discussion_comment.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "@timestamp", + "actor", + "user_agent", + "request_id", + "org", + "_document_id", + "actor_id", + "operation_type", + "created_at", + "repo", + "org_id", + "action", + "request_access_security_header" + ] }, { "action": "discussion.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "user_agent", + "actor_id", + "org_id", + "actor", + "org", + "action", + "operation_type", + "@timestamp", + "request_id", + "title", + "_document_id", + "created_at", + "repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "discussion_post.destroy", "description": "Triggered when a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "request_id", + "team", + "created_at", + "user_id", + "@timestamp", + "number", + "org", + "title", + "actor", + "actor_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.destroy", "description": "Triggered when a reply to a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "actor_id", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user_id", + "actor", + "number", + "user", + "created_at", + "request_id", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.update", "description": "Triggered when a reply to a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "action", + "_document_id", + "request_id", + "org", + "@timestamp", + "actor_id", + "operation_type", + "user", + "user_id", + "org_id", + "user_agent", + "actor", + "number", + "team", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "discussion_post.update", "description": "Triggered when a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "created_at", + "_document_id", + "title", + "user", + "user_agent", + "org", + "operation_type", + "actor_id", + "@timestamp", + "actor", + "team", + "action", + "org_id", + "request_id", + "user_id", + "number" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "enterprise_announcement.create", "description": "A global announcement banner was created for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global-announcement-banner", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.destroy", "description": "A global announcement banner was removed from the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.update", "description": "A global announcement banner was updated for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "old_message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_installation.create", "description": "The GitHub App associated with a GitHub Connect connection was created.", "docs_reference_links": "/admin/configuration/configuring-github-connect/managing-github-connect", + "fields": [ + "created_at", + "operation_type", + "@timestamp", + "_document_id", + "org_id", + "action", + "request_id", + "org", + "actor_id", + "user_agent", + "actor" + ], "docs_reference_titles": "Enabling GitHub Connect for GitHub.com" }, { "action": "enterprise_installation.destroy", "description": "The GitHub App associated with a GitHub Connect connection was deleted.", "docs_reference_links": "/admin/configuration/configuring-github-connect/managing-github-connect", + "fields": [ + "created_at", + "_document_id", + "action", + "@timestamp", + "actor_id", + "actor", + "user_agent", + "org", + "operation_type", + "request_id", + "org_id" + ], "docs_reference_titles": "Enabling GitHub Connect for GitHub.com" }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.delete", "description": "An environment was deleted.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_secret", "description": "A secret was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "git.clone", "description": "A repository was cloned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.fetch", "description": "Changes were fetched from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.push", "description": "Changes were pushed to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "github_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "github_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "github_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "hook.active_changed", "description": "A hook's active status was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "hook.config_changed", "description": "A hook's configuration was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "name", + "org", + "user_agent", + "request_id", + "hook_id", + "repo", + "repo_id", + "created_at", + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { "action": "hook.destroy", "description": "A hook was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", + "operation_type", + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.events_changed", "description": "A hook's configured events were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "operation_type", + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "integration.create", "description": "A GitHub App was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "@timestamp", + "actor", + "user_agent", + "actor_id", + "request_id", + "name", + "user_id", + "_document_id", + "integration", + "created_at", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration.destroy", "description": "A GitHub App was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "actor_id", + "request_id", + "@timestamp", + "name", + "integration", + "user", + "_document_id", + "action", + "operation_type", + "created_at", + "user_agent" + ] }, { "action": "integration.generate_client_secret", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation_request.close", "description": "A request to install a GitHub App was either approved or denied by an owner, or canceled by the member who opened the request.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "url", + "actor", + "actor_id", + "created_at", + "request_id", + "operation_type", + "@timestamp", + "integration", + "action", + "user_agent", + "reason", + "_document_id", + "org", + "org_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation_request.create", "description": "A member requested that an owner install a GitHub App.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "@timestamp", + "actor_id", + "org", + "_document_id", + "requester", + "action", + "user_agent", + "created_at", + "url", + "org_id", + "request_id", + "operation_type", + "actor", + "integration", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { "action": "integration.remove_client_secret", "description": "A client secret for a GitHub App was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "integration.revoke_all_tokens", "description": "All user tokens for a GitHub App were requested to be revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.revoke_tokens", "description": "Token(s) for a GitHub App were revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" }, { "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "ip_allow_list.disable", "description": "An IP allow list was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "actor", + "request_id", + "org", + "user_agent", + "_document_id", + "user_id", + "actor_id", + "created_at", + "org_id", + "action", + "@timestamp", + "user" + ] }, { "action": "ip_allow_list.disable_for_installed_apps", "description": "An IP allow list was disabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list.enable", "description": "An IP allow list was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "business", + "user_id", + "request_id", + "actor", + "user", + "business_id", + "_document_id", + "action", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "org", + "created_at" + ] }, { "action": "ip_allow_list.enable_for_installed_apps", "description": "An IP allow list was enabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list_entry.create", "description": "An IP address was added to an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "active", + "org", + "ip_allow_list_entry", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "actor_id", + "business_id", + "org_id", + "business", + "actor", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.destroy", "description": "An IP address was deleted from an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "ip_allow_list_entry", + "org", + "operation_type", + "created_at", + "active", + "action", + "@timestamp", + "business", + "business_id", + "user_agent", + "org_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.update", "description": "An IP address or its description was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "actor", + "org", + "action", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "ip_allow_list_entry", + "active", + "org_id", + "@timestamp" + ] }, { "action": "issue_comment.destroy", "description": "A comment on an issue was deleted from the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "org", + "repo", + "actor_id", + "@timestamp", + "created_at", + "_document_id", + "action", + "operation_type", + "user_agent", + "repo_id", + "actor", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "issue_comment.update", "description": "A comment on an issue (other than the initial one) changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "action", + "repo_id", + "org_id", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "_document_id", + "actor_id", + "actor", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "issue.destroy", "description": "An issue was deleted from the repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/deleting-an-issue", + "fields": [ + "user", + "actor_id", + "created_at", + "title", + "@timestamp", + "_document_id", + "request_id", + "actor", + "user_id", + "action", + "operation_type", + "user_agent", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting an issue" }, { "action": "issue.pinned", "description": "An issue was pinned to a repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository", + "fields": [ + "_document_id", + "user_agent", + "actor_id", + "created_at", + "action", + "actor", + "operation_type", + "owner_type", + "@timestamp", + "repo_id", + "request_id", + "number", + "repo", + "event", + "user", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "Pinning an issue to your repository" }, { "action": "issue.transfer", "description": "An issue was transferred to another repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/transferring-an-issue-to-another-repository", + "fields": [ + "user", + "user_id", + "@timestamp", + "user_agent", + "owner_type", + "actor_id", + "number", + "repo", + "operation_type", + "_document_id", + "repo_id", + "action", + "request_id", + "created_at", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "Transferring an issue to another repository" }, { "action": "issue.unpinned", "description": "An issue was unpinned from a repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository", + "fields": [ + "event", + "user_agent", + "actor_id", + "repo_id", + "actor", + "action", + "created_at", + "request_id", + "repo", + "operation_type", + "_document_id", + "number", + "owner_type", + "@timestamp", + "user", + "user_id", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Pinning an issue to your repository" }, { "action": "issues.deletes_disabled", "description": "The ability for enterprise members to delete issues was disabled Members cannot delete issues in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "user_agent", + "action", + "@timestamp", + "operation_type", + "request_id", + "actor_id", + "user_id", + "created_at", + "_document_id", + "actor", + "user", + "org", + "org_id" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "issues.deletes_enabled", "description": "The ability for enterprise members to delete issues was enabled Members can delete issues in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "operation_type" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "issues.deletes_policy_cleared", "description": "An enterprise owner cleared the policy setting for allowing members to delete issues in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "user", + "request_id", + "actor", + "business_id", + "action", + "operation_type", + "user_agent", + "created_at", + "@timestamp", + "_document_id", + "business", + "user_id", + "actor_id" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "marketplace_agreement_signature.create", "description": "The GitHub Marketplace Developer Agreement was signed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "actor_id", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "created_at", + "action", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "marketplace_listing.approve", "description": "A listing was approved for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "secondary_category", + "actor", + "primary_category", + "user", + "@timestamp", + "_document_id", + "user_id", + "user_agent", + "operation_type", + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" + ] }, { "action": "marketplace_listing.change_category", "description": "A category for a listing for an app in GitHub Marketplace was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", + "@timestamp", + "integration", + "org_id", + "action", + "org", + "secondary_category", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ] }, { "action": "marketplace_listing.create", "description": "A listing for an app in GitHub Marketplace was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", + "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", + "actor", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "marketplace_listing.delist", "description": "A listing was removed from GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "created_at", + "secondary_category", + "operation_type", + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" + ] }, { "action": "marketplace_listing.redraft", "description": "A listing was sent back to draft state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", + "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", + "actor", + "created_at", + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" + ] }, { "action": "marketplace_listing.reject", "description": "A listing was not accepted for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "members_can_create_pages.disable", "description": "The ability for members to publish GitHub Pages sites was disabled.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_pages.enable", "description": "The ability for members to publish GitHub Pages sites was enabled.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_private_pages.disable", "description": "The ability for members to publish private GitHub Pages was disabled Members cannot publish private GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_private_pages.enable", "description": "The ability for members to publish private GitHub Pages was enabled Members can publish private GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_public_pages.disable", "description": "The ability for members to publish public GitHub Pages was disabled Members cannot publish public GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_public_pages.enable", "description": "The ability for members to publish public GitHub Pages was enabled Members can publish public GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_delete_repos.clear", "description": "An enterprise owner cleared the policy setting for deleting or transferring repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "_document_id", + "request_id", + "user", + "user_id", + "business", + "operation_type", + "user_agent", + "actor", + "actor_id", + "business_id", + "@timestamp", + "created_at", + "action" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_delete_repos.disable", "description": "The ability for enterprise members to delete repositories was disabled Members cannot delete or transfer repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "request_id", + "org", + "_document_id", + "actor_id", + "user", + "user_id", + "user_agent", + "actor", + "operation_type", + "org_id", + "action", + "@timestamp", + "created_at" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_delete_repos.enable", "description": "The ability for enterprise members to delete repositories was enabled Members can delete or transfer repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "action", + "org_id", + "user_id", + "business", + "actor_id", + "@timestamp", + "_document_id", + "request_id", + "user", + "business_id", + "created_at", + "actor", + "org", + "operation_type", + "user_agent" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_view_dependency_insights.clear", "description": "An enterprise owner cleared the policy setting for viewing dependency insights in any organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "created_at", + "request_id", + "actor", + "action", + "operation_type" + ] }, { "action": "members_can_view_dependency_insights.disable", "description": "The ability for enterprise members to view dependency insights was disabled. Members cannot view dependency insights in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-dependency-insights-in-your-enterprise", + "fields": [ + "business", + "created_at", + "user_id", + "business_id", + "user", + "org", + "operation_type", + "request_id", + "actor", + "_document_id", + "action", + "user_agent", + "actor_id", + "org_id", + "@timestamp" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "members_can_view_dependency_insights.enable", "description": "The ability for enterprise members to view dependency insights was enabled. Members can view dependency insights in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-dependency-insights-in-your-enterprise", + "fields": [ + "request_id", + "created_at", + "_document_id", + "user_agent", + "user", + "user_id", + "business", + "business_id", + "operation_type", + "@timestamp", + "action", + "actor", + "actor_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "merge_queue.pull_request_dequeued", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "merge_queue.pull_request_queue_jump", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.queue_cleared", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.update_settings", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "metered_billing_configuration.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "_document_id", + "user_id", + "action", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "metered_billing_configuration.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "metered_billing_configuration.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "org", + "created_at", + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" + ] }, { "action": "migration.create", "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org_id", + "_document_id", + "org", + "repo_id", + "action", + "actor", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "migration.destroy_file", "description": "A migration file for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "org_id", + "action", + "operation_type", + "created_at", + "repo", + "_document_id", + "repo_id", + "request_access_security_header" + ] }, { "action": "migration.download", "description": "A migration file for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance was downloaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "org_id", + "request_id", + "oauth_application_id", + "repo_id", + "operation_type", + "@timestamp", + "user_agent", + "created_at", + "org", + "action", + "_document_id", + "repo", + "actor", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "network_configuration.create", "description": "A network configuration for a hosted compute service was created.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "selected_service", + "network_settings_ids", + "previous_settings_ids", + "network_configuration_id" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "network_configuration.delete", "description": "A network configuration for a hosted compute service was deleted.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "network_configuration_id" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "network_configuration.update", "description": "A network configuration for a hosted compute service was updated.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "selected_service", + "network_settings_ids", + "previous_settings_ids" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.generate_client_secret", "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "org.accept_business_invitation", "description": "An invitation sent to an organization to join an enterprise was accepted.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.add_billing_manager", "description": "A billing manager was added to an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization", + "fields": [ + "operation_type", + "_document_id", + "user_agent", + "org", + "user_id", + "action", + "created_at", + "org_id", + "user", + "actor", + "actor_id", + "@timestamp", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization" }, { "action": "org.add_member", "description": "A user joined an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "permission", + "_document_id", + "org", + "operation_type", + "request_id", + "actor", + "user", + "@timestamp", + "created_at", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "org.add_outside_collaborator", "description": "An outside collaborator was added to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "inviter", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.add_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.advanced_security_disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_disabled_on_all_repos", "description": "GitHub Advanced Security was disabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_on_all_repos", "description": "GitHub Advanced Security was enabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_entity_policy_update", "description": "An enterprise owner updated the GitHub Advanced Security access policy for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "new_policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_disabled", "description": "An enterprise owner prevented GitHub Advanced Security features from being enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_enabled", "description": "An enterprise owner allowed GitHub Advanced Security features to be enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.allow_third_party_access_requests_from_outside_collaborators_disabled", "description": "Third-party application access for outside collaborators was disabled for the organization.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests" }, { "action": "org.allow_third_party_access_requests_from_outside_collaborators_enabled", "description": "Third-party application access for outside collaborators was enabled for the organization.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests" }, { "action": "org.archive", "description": "The organization was archived.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.audit_log_export", "description": "An export of the organization audit log was created. If the export included a query, the log will list the query used and the number of audit log entries matching that query.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log", + "fields": [ + "org_id", + "operation_type", + "@timestamp", + "request_id", + "_document_id", + "actor", + "org", + "action", + "created_at", + "user_agent", + "actor_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log" }, { "action": "org.audit_log_git_event_export", "description": "An export of the organization's Git events was created.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "start", + "end", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization" }, { "action": "org.billing_signup_error", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_agent", + "action", + "@timestamp", + "actor_id", + "org_id", + "_document_id", + "actor", + "org", + "operation_type" + ] }, { "action": "org.block_user", "description": "An organization owner blocked a user from accessing the organization's repositories.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization", + "fields": [ + "actor", + "user_agent", + "org_id", + "created_at", + "_document_id", + "blocked_user", + "action", + "operation_type", + "actor_id", + "org", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization" }, { "action": "org.cancel_business_invitation", "description": "An invitation for an organization to join an enterprise was revoked", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "initiated_from" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.cancel_invitation", "description": "An invitation sent to a user to join an organization was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "org_id", + "request_id", + "email", + "@timestamp", + "actor", + "action", + "operation_type", + "user_agent", + "org", + "invitation_id", + "_document_id", + "created_at", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.clear_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "org.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_third_party_tools_disabled", "description": "Autofix for third party tools for code scanning alerts was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_third_party_tools_enabled", "description": "Autofix for third party tools for code scanning alerts was enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.codeql_disabled", "description": "Code scanning using the default setup was disabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codeql_enabled", "description": "Code scanning using the default setup was enabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codespaces_access_updated", "description": "Access to use Codespaces on internal and private repositories was updated for an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/enabling-or-disabling-github-codespaces-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enablement", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/enabling-or-disabling-github-codespaces-for-your-organization" }, { "action": "org.codespaces_ownership_updated", "description": "Ownership and payment for codespaces was updated for an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner_type", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization" }, { "action": "org.codespaces_team_access_allowed", "description": "A team has been allowed to use Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.codespaces_team_access_revoked", "description": "A team has been prevented from using Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.codespaces_trusted_repo_access_granted", "description": "GitHub Codespaces was granted trusted repository access to all other repositories in an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "org.codespaces_trusted_repo_access_revoked", "description": "GitHub Codespaces trusted repository access to all other repositories in an organization was revoked.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "org.codespaces_user_access_allowed", "description": "A user has been allowed to use Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.codespaces_user_access_revoked", "description": "A user has been prevented from using Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.config.disable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "request_id", + "org", + "action", + "operation_type", + "_document_id", + "actor", + "actor_id", + "@timestamp", + "user_agent", + "org_id", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "operation_type", + "@timestamp", + "created_at", + "user_agent", + "action", + "actor_id", + "org", + "_document_id", + "actor", + "org_id", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "_document_id", + "operation_type", + "actor_id", + "org_id", + "action", + "created_at", + "actor", + "org", + "@timestamp", + "user_agent", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "actor", + "org", + "org_id", + "request_id", + "operation_type", + "action", + "user_agent" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor", + "actor_id", + "org_id", + "action", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "org", + "created_at", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor_id", + "request_id", + "action", + "created_at", + "user_agent", + "actor", + "_document_id", + "org_id", + "operation_type", + "org", + "@timestamp" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.confirm_business_invitation", "description": "An invitation for an organization to join an enterprise was confirmed.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.connect_usage_metrics_export", "description": "Server statistics were exported for the organization.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/analyzing-how-your-team-works-with-server-statistics/exporting-server-statistics", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Exporting Server Statistics" }, { "action": "org.create", "description": "An organization was created.", "docs_reference_links": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch", + "fields": [ + "request_id", + "org", + "actor_id", + "actor", + "action", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "org_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch" }, { "action": "org.create_actions_secret", "description": "A GitHub Actions secret was created for an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.create_actions_variable", "description": "A GitHub Actions variable was created for an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "org.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org_credential_authorization.deauthorize", "description": "A member removed the SSO (SAML or OIDC) authorization from a credential that had access to your organization.", "docs_reference_links": "/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor_id", + "org_id", + "business", + "action", + "@timestamp", + "org", + "_document_id", + "business_id", + "actor", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "oauth_credential_type", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Authorizing a personal access token for use with single sign-on" }, { "action": "org_credential_authorization.grant", "description": "A member authorized credentials for use with SAML or OIDC single sign-on.", "docs_reference_links": "/authentication/authenticating-with-saml-single-sign-on", + "fields": [ + "user_agent", + "actor", + "@timestamp", + "created_at", + "org_id", + "business_id", + "operation_type", + "request_id", + "_document_id", + "action", + "actor_id", + "business", + "org", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "oauth_credential_type", + "request_access_security_header", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Authenticating with single sign-on" }, { "action": "org_credential_authorization.revoke", "description": "An owner revoked authorized credentials.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization", + "fields": [ + "actor", + "org", + "@timestamp", + "owner", + "oauth_application_id", + "org_id", + "operation_type", + "action", + "business", + "request_id", + "created_at", + "business_id", + "actor_id", + "_document_id", + "user_agent", + "oauth_credential_type", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.delete", "description": "An organization was deleted by a user or staff.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "@timestamp", + "_document_id", + "created_at", + "actor", + "org_id", + "org", + "action", + "actor_id", + "operation_type", + "request_id", + "request_access_security_header" + ] }, { "action": "org.disable_member_team_creation_permission", "description": "Team creation was limited to owners.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "actor", + "@timestamp", + "_document_id", + "user", + "user_id", + "action", + "created_at", + "actor_id", + "user_agent", + "org", + "org_id", + "operation_type", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.disable_oauth_app_restrictions", "description": "Third-party application access restrictions for an organization were disabled.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "fields": [ + "actor_id", + "org_id", + "action", + "_document_id", + "request_id", + "@timestamp", + "actor", + "org", + "operation_type", + "user_agent", + "created_at" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization" }, { "action": "org.disable_reader_discussion_creation_permission", "description": "An organization owner limited discussion creation to users with at least triage permission in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.disable_saml", "description": "SAML single sign-on was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "sso_url", + "issuer", + "action", + "@timestamp", + "_document_id", + "created_at", + "org", + "operation_type" + ] }, { "action": "org.disable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the organization was disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" }, { "action": "org.disable_two_factor_requirement", "description": "A two-factor authentication requirement was disabled for the organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "org_id", + "action", + "actor", + "actor_id", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "user_agent" + ] }, { "action": "org.display_commenter_full_name_disabled", "description": "An organization owner disabled the display of a commenter's full name in an organization. Members cannot see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "user", + "action", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "user_agent", + "org", + "actor_id", + "org_id", + "request_id" + ] }, { "action": "org.display_commenter_full_name_enabled", "description": "An organization owner enabled the display of a commenter's full name in an organization. Members can see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_agent", + "request_id", + "actor", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "user", + "action", + "actor_id", + "org_id" + ] }, { "action": "org.enable_member_team_creation_permission", "description": "Team creation by members was allowed.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "org_id", + "user", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "user_agent", + "actor_id", + "org", + "request_id", + "action", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.enable_oauth_app_restrictions", "description": "Third-party application access restrictions for an organization were enabled.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization", + "fields": [ + "actor_id", + "operation_type", + "org", + "created_at", + "_document_id", + "actor", + "org_id", + "action", + "user_agent", + "request_id", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization" }, { "action": "org.enable_reader_discussion_creation_permission", "description": "An organization owner allowed users with read access to create discussions in an organization", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.enable_saml", "description": "SAML single sign-on was enabled for the organization.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization", + "fields": [ + "actor_id", + "action", + "operation_type", + "actor", + "sso_url", + "org", + "created_at", + "@timestamp", + "issuer", + "org_id", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Enabling and testing SAML single sign-on for your organization" }, { "action": "org.enable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the organization was enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" }, { "action": "org.enable_two_factor_requirement", "description": "Two-factor authentication is now required for the organization.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "actor_id", + "action", + "_document_id", + "org", + "@timestamp", + "actor", + "user_agent", + "org_id", + "operation_type", + "created_at", + "request_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.integration_manager_added", "description": "An organization owner granted a member access to manage all GitHub Apps owned by an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "org_id", + "manager", + "@timestamp", + "request_id", + "actor", + "operation_type", + "_document_id", + "actor_id", + "org", + "action", + "created_at" + ] }, { "action": "org.integration_manager_removed", "description": "An organization owner removed access to manage all GitHub Apps owned by an organization from an organization member.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "@timestamp", + "org", + "user_agent", + "request_id", + "action", + "actor", + "actor_id", + "manager", + "operation_type", + "created_at", + "_document_id" + ] }, { "action": "org.invite_member", "description": "A new user was invited to join an organization.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization", + "fields": [ + "org", + "user_id", + "invitation_id", + "org_id", + "user", + "action", + "operation_type", + "_document_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "actor_id", + "request_id", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization" }, { "action": "org.invite_to_business", "description": "An organization was invited to join an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.members_can_update_protected_branches.disable", "description": "The ability for enterprise members to update protected branches was disabled. Only enterprise owners can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "org.members_can_update_protected_branches.enable", "description": "The ability for enterprise members to update protected branches was enabled. Members of an organization can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "org_id", + "user_agent", + "actor_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "request_id", + "_document_id", + "actor", + "user", + "action" + ] }, { "action": "org.oauth_app_access_approved", "description": "Access to an organization was granted for an OAuth App.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization", + "fields": [ + "url", + "actor", + "user_agent", + "request_id", + "actor_id", + "operation_type", + "org_id", + "_document_id", + "org", + "action", + "created_at", + "@timestamp", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization" }, { "action": "org.oauth_app_access_blocked", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "url", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.oauth_app_access_denied", "description": "Access was disabled for an OAuth App that was previously approved.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization", + "fields": [ + "request_id", + "url", + "created_at", + "org_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "org", + "operation_type", + "actor", + "actor_id", + "oauth_application_name" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization" }, { "action": "org.oauth_app_access_requested", "description": "An organization member requested that an owner grant an OAuth App access to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "_document_id", + "request_id", + "url", + "org_id", + "action", + "@timestamp", + "org", + "request_access_security_header", + "oauth_application_name" + ] }, { "action": "org.oauth_app_access_unblocked", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "url", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.rate_limited_invites", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "org_id", + "action", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org" + ] }, { "action": "org.recovery_code_failed", "description": "An organization owner failed to sign into a organization with an external identity provider (IdP) using a recovery code.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "reason", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing your organization if your identity provider is unavailable" }, { "action": "org.recovery_code_used", "description": "An organization owner successfully signed into an organization with an external identity provider (IdP) using a recovery code.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Accessing your organization if your identity provider is unavailable" }, { "action": "org.recovery_codes_downloaded", "description": "An organization owner downloaded the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_generated", "description": "An organization owner generated the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_printed", "description": "An organization owner printed the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_viewed", "description": "An organization owner viewed the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization", + "fields": [ + "actor", + "operation_type", + "@timestamp", + "_document_id", + "request_id", + "org", + "org_id", + "action", + "created_at", + "user_agent", + "actor_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "org.remove_actions_secret", "description": "A GitHub Actions secret was removed from an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.remove_actions_variable", "description": "A GitHub Actions variable was removed from an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "org.remove_billing_manager", "description": "A billing manager was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "user_id", + "user_agent", + "org_id", + "user", + "action", + "_document_id", + "operation_type", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "created_at" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.remove_integration_secret", "description": "A Codespaces or Dependabot secret was removed from an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.remove_member", "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "actor_id", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", + "created_at", + "user", + "operation_type", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.remove_outside_collaborator", "description": "An outside collaborator was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user", + "org_id", + "created_at", + "request_id", + "@timestamp", + "action", + "operation_type", + "user_agent", + "_document_id", + "actor", + "actor_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "org.remove_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization", + "fields": [ + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor_id", + "org", + "created_at", + "actor", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "org.rename", "description": "An organization was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "@timestamp", + "org", + "action", + "actor", + "old_login", + "org_id", + "request_id", + "actor_id", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "org.required_workflow_create", "description": "Triggered when a required workflow is created.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.required_workflow_delete", "description": "Triggered when a required workflow is deleted.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.required_workflow_update", "description": "Triggered when a required workflow is updated.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.restore_member", "description": "An organization member was restored.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization", + "fields": [ + "user", + "actor", + "user_id", + "_document_id", + "action", + "created_at", + "org_id", + "operation_type", + "request_id", + "@timestamp", + "user_agent", + "org", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization" }, { "action": "org.revoke_external_identity", "description": "A member's linked identity was revoked.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity", + "fields": [ + "actor", + "org", + "org_id", + "user", + "operation_type", + "user_id", + "@timestamp", + "action", + "actor_id", + "user_agent", + "_document_id", + "request_id", + "created_at" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.revoke_sso_session", "description": "A member's SAML session was revoked.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity", + "fields": [ + "actor_id", + "created_at", + "user", + "action", + "operation_type", + "@timestamp", + "org", + "org_id", + "user_agent", + "request_id", + "actor", + "user_id", + "_document_id" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.runner_group_created", "description": "A self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_removed", "description": "A self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_renamed", "description": "A self-hosted runner group was renamed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runner_removed", "description": "The REST API was used to remove a self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "org.runner_group_runners_added", "description": "A self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runners_updated", "description": "A runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "org.runner_group_updated", "description": "The configuration of a self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_visiblity_updated", "description": "The visibility of a self-hosted runner group was updated via the REST API.", "docs_reference_links": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "visibility", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_generic_secrets.disabled", "description": "Generic secrets have been disabled at the organization level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "org_secret_scanning_generic_secrets.enabled", "description": "Generic secrets have been enabled at the organization level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "org_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_disabled", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_enabled", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_updated", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_disable", "description": "Push protection for secret scanning was disabled.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_enable", "description": "Push protection for secret scanning was enabled.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_disable", "description": "Push protection for secret scanning was disabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_enable", "description": "Push protection for secret scanning was enabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "org.security_center_export_code_scanning_metrics", "description": "A CSV export was requested on the CodeQL pull request alerts page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "org.security_center_export_coverage", "description": "A CSV export was requested on the Coverage page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_overview_dashboard", "description": "A CSV export was requested on the Overview Dashboard page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_risk", "description": "A CSV export was requested on the Risk page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "org_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { "action": "org.set_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "org_id", + "operation_type", + "actor", + "actor_id", + "@timestamp", + "request_id", + "created_at", + "org", + "action" + ] }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "org.sso_response", "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "user_agent", + "actor", + "actor_id", + "org_id", + "@timestamp", + "org", + "issuer", + "business", + "operation_type", + "created_at", + "request_id", + "business_id", + "_document_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.transfer", "description": "An organization was transferred between enterprise accounts.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "from_business", + "to_business", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.transfer_outgoing", "description": "An organization was transferred between enterprise accounts.", "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "business", + "business_id", + "from_business", + "to_business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.unarchive", "description": "The organization was unarchived.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.unblock_user", "description": "A user was unblocked from an organization.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization", + "fields": [ + "oauth_application_id", + "_document_id", + "blocked_user", + "action", + "operation_type", + "@timestamp", + "request_id", + "created_at", + "actor", + "actor_id", + "org", + "org_id", + "user_agent" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization" }, { "action": "org.update_actions_secret", "description": "A GitHub Actions secret was updated for an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "created_at", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.update_actions_settings", "description": "An organization owner or site administrator updated GitHub Actions policy settings for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "updated_allowed_types", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization" }, { "action": "org.update_actions_variable", "description": "A GitHub Actions variable was updated for an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "org.update_default_repository_permission", "description": "The default repository permission level for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "operation_type", + "created_at", + "org", + "org_id", + "request_id", + "@timestamp", + "user_agent", + "permission", + "actor_id", + "old_permission", + "_document_id", + "programmatic_access_type" + ] }, { "action": "org.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "org.update_member", "description": "A person's role was changed from owner to member or member to owner.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "org_id", + "created_at", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "actor_id", + "old_permission", + "permission", + "actor", + "user_agent", + "operation_type", + "org" + ] }, { "action": "org.update_member_repository_creation_permission", "description": "The create repository permission for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "@timestamp", + "request_id", + "actor_id", + "permission", + "created_at", + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" + ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "org.update_new_repository_default_branch_setting", "description": "The name of the default branch was changed for new repositories in the organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization" }, { "action": "org.update_repo_self_hosted_runners_policy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_repo_runners_policy", + "new_repo_runners_policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.update_saml_provider_settings", "description": "An organization's SAML provider settings were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "sso_url", + "actor_id", + "operation_type", + "@timestamp", + "issuer", + "org", + "_document_id", + "actor", + "org_id", + "created_at", + "request_id", + "action" + ] }, { "action": "org.update_terms_of_service", "description": "An organization changed between the Standard Terms of Service and the GitHub Customer Agreement.", "docs_reference_links": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement", + "fields": [ + "request_id", + "org_id", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org", + "action", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement" }, { "action": "organization_default_label.create", "description": "A default label was created for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#creating-a-default-label", + "fields": [ + "request_id", + "actor_id", + "actor", + "org", + "org_id", + "operation_type", + "_document_id", + "action", + "created_at", + "@timestamp", + "user_agent", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#creating-a-default-label" }, { "action": "organization_default_label.destroy", "description": "A default label was deleted for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#deleting-a-default-label", + "fields": [ + "operation_type", + "request_id", + "actor", + "@timestamp", + "_document_id", + "actor_id", + "org_id", + "org", + "action", + "created_at", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#deleting-a-default-label" }, { "action": "organization_default_label.update", "description": "A default label was edited for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#editing-a-default-label", + "fields": [ + "org", + "created_at", + "@timestamp", + "actor", + "action", + "user_agent", + "actor_id", + "org_id", + "operation_type", + "request_id", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#editing-a-default-label" }, { "action": "organization_domain.approve", "description": "A domain was approved for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization" }, { "action": "organization_domain.create", "description": "A domain was added to an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "created_at", + "_document_id", + "domain_name", + "action", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "user_agent", + "actor" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "organization_domain.destroy", "description": "A domain was removed from an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain", + "fields": [ + "action", + "domain_name", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "created_at" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain" }, { "action": "organization_domain.verify", "description": "A domain was verified for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "operation_type", + "domain_name", + "@timestamp", + "user_agent", + "request_id", + "actor", + "action", + "created_at", + "_document_id", + "actor_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "organization_moderators.add_team", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "organization_moderators.add_user", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "organization_moderators.remove_team", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "organization_moderators.remove_user", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type" + ] }, { "action": "organization_projects_change.clear", "description": "An enterprise owner cleared the policy setting for organization-wide project boards in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "actor", + "business_id", + "@timestamp", + "actor_id", + "user", + "user_id", + "action", + "user_agent", + "_document_id", + "created_at", + "operation_type", + "request_id", + "business" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_projects_change.disable", "description": "Organization projects were disabled for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "org_id", + "action", + "user", + "org", + "created_at", + "user_agent", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "actor", + "user_id", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_projects_change.enable", "description": "Organization projects were enabled for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "actor_id", + "org_id", + "created_at", + "user_id", + "org", + "@timestamp", + "_document_id", + "user_agent", + "actor", + "request_id", + "user", + "action", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_role.assign", "description": "An organization role was assigned to a user or team.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "organization_role_id", + "organization_role_name", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.create", "description": "A custom organization role was created in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.destroy", "description": "A custom organization role was deleted in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.revoke", "description": "A user or team was unassigned an organization role.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "organization_role_id", + "organization_role_name", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.update", "description": "A custom organization role was edited in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "old_role_permissions", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "old_base_role" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_wide_project_base_role.update", "description": "An organization's default project base role was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_project_base_role", + "new_project_base_role", + "business", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "packages.package_deleted", "description": "An entire package was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_published", "description": "A package was published or republished to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "ecosystem", + "version_count", + "is_republished", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "packages.package_version_deleted", "description": "A specific package version was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "version", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "ecosystem", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_version_published", "description": "A specific package version was published or republished to a package.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "ecosystem", + "package", + "version", + "actor_id", + "user_agent", + "is_republished", + "actor", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "payment_method.create", "description": "A new payment method was added, such as a new credit card or PayPal account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", + "_document_id", + "action", + "actor", + "actor_id", + "@timestamp", + "created_at", + "request_access_security_header" + ] }, { "action": "payment_method.remove", "description": "A payment method was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", + "operation_type", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "payment_method.update", "description": "An existing payment method was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", + "@timestamp", + "action", + "actor", + "org", + "user_agent", + "_document_id", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.access_restriction_disabled", "description": "The configured restriction for access to resources via personal access tokens was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_restriction_enabled", "description": "The configured restriction for access to resources via personal access tokens was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.auto_approve_grant_requests_disabled", "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "personal_access_token.auto_approve_grant_requests_enabled", "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "personal_access_token.expiration_limit_set", "description": "A personal access token expiration limit was set.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "token_expiration", + "old_token_expiration", + "exempt_administrators", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.expiration_limit_unset", "description": "A personal access token expiration limit was unset.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "old_token_expiration", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "prebuild_configuration.create", "description": "A GitHub Codespaces prebuild configuration for a repository was created.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.destroy", "description": "A GitHub Codespaces prebuild configuration for a repository was deleted.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.run_triggered", "description": "A user initiated a run of a GitHub Codespaces prebuild configuration for a repository branch.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.update", "description": "A GitHub Codespaces prebuild configuration for a repository was edited.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "premium_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_repository_forking.clear", "description": "An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user_id", + "action", + "operation_type", + "@timestamp", + "business_id", + "actor_id", + "user", + "business", + "request_id", + "actor", + "created_at", + "_document_id" + ] }, { "action": "private_repository_forking.disable", "description": "An enterprise owner disabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are never allowed to be forked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "created_at", + "actor_id", + "_document_id", + "actor", + "user", + "repo", + "action", + "user_agent", + "@timestamp", + "org", + "operation_type", + "request_id", + "user_id", + "org_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "private_repository_forking.enable", "description": "An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_id", + "operation_type", + "_document_id", + "action", + "@timestamp", + "repo", + "org", + "business", + "user_agent", + "request_id", + "actor", + "repo_id", + "user", + "org_id", + "created_at", + "business_id" + ] }, { "action": "private_vulnerability_reporting.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { "action": "project.access", "description": "A project board visibility was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "user_agent", + "operation_type", + "user", + "created_at", + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" + ] }, { "action": "project_base_role.update", "description": "A project's base role was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_project_base_role", + "new_project_base_role", + "project_number", + "public_project", + "business", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { "action": "project_collaborator.add", "description": "A collaborator was added to a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "org", + "org_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "public_project", + "project_name", + "project_role", + "old_project_role", + "request_access_security_header" + ] }, { "action": "project_collaborator.remove", "description": "A collaborator was removed from a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project_collaborator.update", "description": "A project collaborator's permission level was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "public_project", + "project_name", + "collaborator_type", + "project_role", + "old_project_role", + "project_id", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project.create", "description": "A project board was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user", + "_document_id", + "request_id", + "user_id", + "user_agent", + "@timestamp", + "actor_id", + "action", + "created_at", + "actor" + ] }, { "action": "project.delete", "description": "A project board was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "actor_id", + "operation_type", + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" + ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { "action": "project.link", "description": "A repository was linked to a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "action", + "actor_id", + "org_id", + "user_agent", + "request_id", + "actor", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" + ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { "action": "project.rename", "description": "A project board was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", + "@timestamp", + "repo", + "_document_id", + "user_agent", + "org_id", + "business_id", + "actor", + "repo_id", + "org", + "business" + ] }, { "action": "project.unlink", "description": "A repository was unlinked from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "operation_type", + "actor", + "action", + "created_at", + "actor_id", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "org", + "org_id" + ] }, { "action": "project.update_org_permission", "description": "The project's base-level permission for all organization members was changed or removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" + ] }, { "action": "project.update_team_permission", "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org_id", + "operation_type", + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" + ] }, { "action": "project.update_user_permission", "description": "A user was added to or removed from a project board or had their permission level changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "operation_type", + "@timestamp", + "actor_id", + "user", + "user_agent", + "actor", + "created_at", + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" + ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project.visibility_private", "description": "A project's visibility was changed from public to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name" + ] }, { "action": "project.visibility_public", "description": "A project's visibility was changed from private to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name", + "request_access_security_header" + ] }, { "action": "protected_branch.authorized_users_teams", "description": "The users, teams, or integrations allowed to bypass a branch protection were changed.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "fields": [ + "repo", + "action", + "org_id", + "user_agent", + "name", + "created_at", + "_document_id", + "operation_type", + "actor", + "repo_id", + "org", + "request_id", + "actor_id", + "oauth_application_id", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches" }, { "action": "protected_branch.branch_allowances", "description": "A protected branch allowance was given to a specific user, team or integration.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "name", + "authorized_actors", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "protected_branch.create", "description": "Branch protection was enabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "repo_id", + "user_id", + "@timestamp", + "user_agent", + "repo", + "name", + "org_id", + "user", + "_document_id", + "request_id", + "actor", + "actor_id", + "org", + "action", + "created_at", + "authorized_actor_names", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.destroy", "description": "Branch protection was disabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "repo", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "repo_id", + "org_id", + "operation_type", + "action", + "user_agent", + "created_at", + "_document_id", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.dismiss_stale_reviews", "description": "Enforcement of dismissing stale pull requests was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "dismiss_stale_reviews_on_push", + "org_id", + "action", + "created_at", + "request_id", + "_document_id", + "@timestamp", + "actor_id", + "repo_id", + "operation_type", + "actor", + "repo", + "org", + "name", + "programmatic_access_type" + ] }, { "action": "protected_branch.dismissal_restricted_users_teams", "description": "Enforcement of restricting users and/or teams who can dismiss reviews was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "actor", + "oauth_application_id", + "authorized_actors_only", + "authorized_actors", + "created_at", + "user_agent", + "name", + "_document_id", + "org_id", + "request_id", + "@timestamp", + "actor_id", + "org", + "action", + "operation_type", + "programmatic_access_type" + ] }, { "action": "protected_branch.policy_override", "description": "A branch protection requirement was overridden by a repository administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "created_at", + "actor", + "reasons", + "@timestamp", + "before", + "after", + "actor_id", + "repo", + "operation_type", + "user_agent", + "branch", + "overridden_codes", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "referrer", + "business", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "rule_suite_id" + ] }, { "action": "protected_branch.rejected_ref_update", "description": "A branch update attempt was rejected.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "@timestamp", + "created_at", + "_document_id", + "business", + "org_id", + "operation_type", + "request_id", + "repo_id", + "actor", + "branch", + "before", + "overridden_codes", + "after", + "action", + "reasons", + "actor_id", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "actor_is_bot", + "rule_suite_id" + ] }, { "action": "protected_branch.update_admin_enforced", "description": "Branch protection was enforced for repository administrators.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "admin_enforced", + "operation_type", + "user_agent", + "actor", + "org", + "name", + "repo", + "@timestamp", + "action", + "repo_id", + "org_id", + "_document_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_allow_deletions_enforcement_level", "description": "Branch deletion was enabled or disabled for a protected branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "operation_type", + "request_id", + "repo", + "@timestamp", + "org_id", + "org", + "action", + "allow_deletions_enforcement_level", + "_document_id", + "created_at", + "actor_id", + "user_agent", + "actor", + "repo_id", + "request_access_security_header" + ] }, { "action": "protected_branch.update_allow_force_pushes_enforcement_level", "description": "Force pushes were enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "actor_id", + "name", + "_document_id", + "actor", + "repo", + "operation_type", + "request_id", + "allow_force_pushes_enforcement_level", + "@timestamp", + "org", + "action", + "created_at", + "user_agent", + "repo_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_ignore_approvals_from_contributors", "description": "Ignoring of approvals from contributors to a pull request was enabled or disabled for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "ignore_approvals_from_contributors", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "protected_branch.update_linear_history_requirement_enforcement_level", "description": "Required linear commit history was enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "operation_type", + "actor", + "linear_history_requirement_enforcement_level", + "repo", + "request_id", + "name", + "org_id", + "repo_id", + "org", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_lock_allows_fetch_and_merge", "description": "Fork syncing was enabled or disabled for a read-only branch", "docs_reference_links": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "lock_allows_fetch_and_merge", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_lock_branch_enforcement_level", "description": "The enforcement of a branch lock was updated.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "enforcement_level", + "lock_branch_enforcement_level", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { "action": "protected_branch.update_name", "description": "A branch name pattern was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "old_name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "protected_branch.update_pull_request_reviews_enforcement_level", "description": "Enforcement of required pull request reviews was updated for a branch. Can be 0 (deactivated), 1 (non-admins), or 2 (everyone).", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "org_id", + "_document_id", + "actor_id", + "@timestamp", + "business_id", + "request_id", + "pull_request_reviews_enforcement_level", + "org", + "repo", + "action", + "business", + "user_agent", + "created_at", + "repo_id", + "operation_type", + "actor", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_code_owner_review", "description": "Enforcement of required code owner review was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "created_at", + "require_code_owner_review", + "operation_type", + "name", + "user_agent", + "action", + "@timestamp", + "actor", + "actor_id", + "repo", + "request_id", + "org", + "repo_id", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_last_push_approval", "description": "Someone other than the person who pushed the last code-modifying commit to the branch must approve pull requests for the branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "require_last_push_approval", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging" }, { "action": "protected_branch.update_required_approving_review_count", "description": "Enforcement of the required number of approvals before merging was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "required_approving_review_count", + "repo", + "request_id", + "repo_id", + "created_at", + "actor", + "operation_type", + "user_agent", + "name", + "org_id", + "action", + "actor_id", + "_document_id", + "org", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_required_status_checks_enforcement_level", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "user_agent", + "@timestamp", + "_document_id", + "name", + "repo", + "action", + "business_id", + "repo_id", + "business", + "actor_id", + "operation_type", + "created_at", + "request_id", + "required_status_checks_enforcement_level", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_signature_requirement_enforcement_level", "description": "Enforcement of required commit signing was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "name", + "@timestamp", + "created_at", + "_document_id", + "request_id", + "repo_id", + "org", + "org_id", + "action", + "actor", + "actor_id", + "signature_requirement_enforcement_level", + "repo", + "user_agent", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_strict_required_status_checks_policy", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "_document_id", + "org", + "@timestamp", + "created_at", + "repo_id", + "org_id", + "user_agent", + "name", + "actor", + "repo", + "operation_type", + "action", + "strict_required_status_checks_policy", + "programmatic_access_type" + ] }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verify", "description": "A user account's SSH key or a repository's deploy key was verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "pull_request.close", "description": "A pull request was closed without being merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request" }, { "action": "pull_request.converted_to_draft", "description": "A pull request was converted to a draft.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft" }, { "action": "pull_request.create", "description": "A pull request was created.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request" }, { "action": "pull_request.create_review_request", "description": "A review was requested on a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.in_progress", "description": "A pull request was marked as in progress.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "pull_request.indirect_merge", "description": "A pull request was considered merged because the pull request's commits were merged into the target branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request.merge", "description": "A pull request was merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request" }, { "action": "pull_request.ready_for_review", "description": "A pull request was marked as ready for review.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review" }, { "action": "pull_request.rebase", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "pull_request_url", + "pull_request_title", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request.remove_review_request", "description": "A review request was removed from a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.reopen", "description": "A pull request was reopened after previously being closed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.create", "description": "A review comment was added to a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "comment_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request_review_comment.delete", "description": "A review comment on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "actor", + "@timestamp", + "_document_id", + "repo", + "created_at", + "request_id", + "comment_id", + "actor_id", + "repo_id", + "action", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.update", "description": "A review comment on a pull request was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "request_id", + "actor_id", + "action", + "created_at", + "actor", + "_document_id", + "@timestamp", + "comment_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review.delete", "description": "A review on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request_review.dismiss", "description": "A review on a pull request was dismissed.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review" }, { "action": "pull_request_review.submit", "description": "A review on a pull request was submitted.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.change_merge_setting", "description": "Pull request merge options were changed for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", + "@timestamp", + "_document_id", + "actor_id", + "operation_type", + "action", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { "action": "repo.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_third_party_tools_disabled", "description": "Autofix for third party tools for code scanning alerts was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_third_party_tools_enabled", "description": "Autofix for third party tools for code scanning alerts was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { "action": "repo.code_scanning_delegated_alert_dismissal_disabled", "description": "Prevention of direct alert dismissal for code scanning was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "repo.code_scanning_delegated_alert_dismissal_enabled", "description": "Prevention of direct alert dismissal for code scanning was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "repo.codeql_disabled", "description": "Code scanning using the default setup was disabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_enabled", "description": "Code scanning using the default setup was enabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "query_suite", + "threat_model", + "languages", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_updated", "description": "Code scanning using the default setup was updated for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "query_suite", + "threat_model", + "languages", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codespaces_trusted_repo_access_granted", "description": "GitHub Codespaces was granted trusted repository access to this repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "repo.codespaces_trusted_repo_access_revoked", "description": "GitHub Codespaces trusted repository access to this repository was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" }, { "action": "repo.create_actions_secret", "description": "A GitHub Actions secret was created for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { "action": "repo.download_zip", "description": "A source code archive of a repository was downloaded as a ZIP file.", "docs_reference_links": "/repositories/working-with-files/using-files/downloading-source-code-archives", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/working-with-files/using-files/downloading-source-code-archives" }, { "action": "repo.pages_cname", "description": "A GitHub Pages custom domain was modified in a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "@timestamp", + "visibility", + "repo", + "repo_id", + "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", + "created_at", + "_document_id", + "action", + "operation_type", + "old_cname", + "programmatic_access_type" + ] }, { "action": "repo.pages_create", "description": "A GitHub Pages site was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "_document_id", + "user_id", + "visibility", + "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", + "actor", + "repo", + "programmatic_access_type" + ] }, { "action": "repo.pages_destroy", "description": "A GitHub Pages site was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "user_id", + "action", + "request_id", + "user", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", + "visibility", + "operation_type", + "repo_id", + "programmatic_access_type" + ] }, { "action": "repo.pages_https_redirect_disabled", "description": "HTTPS redirects were disabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "actor_id", + "repo_id", + "_document_id", + "user_agent", + "actor", + "visibility", + "user_id", + "request_id", + "repo", + "@timestamp", + "operation_type", + "action", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_https_redirect_enabled", "description": "HTTPS redirects were enabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "user_id", + "created_at", + "visibility", + "actor", + "actor_id", + "user", + "operation_type", + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" + ] }, { "action": "repo.pages_private", "description": "A GitHub Pages site visibility was changed to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_public", "description": "A GitHub Pages site visibility was changed to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete", "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete_restore", "description": "A GitHub Pages site that was previously soft-deleted was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_source", "description": "A GitHub Pages source was modified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "repo_id", + "user", + "_document_id", + "request_id", + "visibility", + "repo", + "created_at", + "action", + "programmatic_access_type" + ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.remove_integration_secret", "description": "A Codespaces or Dependabot secret was deleted for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "repo.remove_topic", "description": "A topic was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", + "actor", + "business", + "request_id", + "repo", + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" + ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { "action": "repo.rename_branch", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "old_branch", + "new_branch", + "default_branch", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.restore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "action", + "_document_id", + "actor_id", + "user", + "operation_type", + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" + ] }, { "action": "repo.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "repo_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "repo.staff_unlock", "description": "An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "created_at", + "actor", + "repo_id", + "action", + "org", + "org_id", + "request_id", + "repo", + "operation_type" + ] }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { "action": "repo.transfer_outgoing", "description": "A repository was transferred to another repository network.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.transfer_start", "description": "A user sent a request to transfer a repository to another user or organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "operation_type", + "user_id", + "request_id", + "user", + "action", + "user_agent", + "created_at", + "actor", + "visibility", + "repo_id", + "actor_id", + "repo", + "request_access_security_header" + ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.update_actions_access_settings", "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "old_policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.update_actions_settings", "description": "A repository administrator changed GitHub Actions policy settings for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.update_default_branch", "description": "The default branch for a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.update_member", "description": "A user's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "_document_id", + "actor", + "repo_id", + "created_at", + "oauth_application_id", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", + "visibility", + "old_permission", + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_advisory.close", "description": "Someone closed a security advisory.", "docs_reference_links": "/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories", + "fields": [ + "actor", + "repo", + "@timestamp", + "business", + "business_id", + "user_agent", + "actor_id", + "request_id", + "action", + "operation_type", + "created_at", + "repo_id", + "_document_id", + "org", + "org_id", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories" }, { "action": "repository_advisory.cve_request", "description": "Someone requested a CVE (Common Vulnerabilities and Exposures) number from GitHub for a draft security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "repo", + "org_id", + "actor", + "action", + "request_id", + "org", + "operation_type", + "@timestamp", + "user_agent", + "actor_id", + "_document_id", + "created_at" + ] }, { "action": "repository_advisory.github_broadcast", "description": "GitHub made a security advisory public in the GitHub Advisory Database.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "repository_advisory.github_withdraw", "description": "GitHub withdrew a security advisory that was published in error.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repository_advisory.open", "description": "Someone opened a draft security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "actor_id", + "actor", + "repo", + "created_at", + "_document_id", + "repo_id", + "action", + "@timestamp", + "request_id", + "request_access_security_header" + ] }, { "action": "repository_advisory.publish", "description": "Someone published a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "actor_id", + "@timestamp", + "actor", + "repo_id", + "_document_id", + "repo", + "business_id", + "business", + "request_id", + "action", + "created_at", + "org_id", + "org" + ] }, { "action": "repository_advisory.reopen", "description": "Someone reopened as draft security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "repo", + "action", + "created_at", + "@timestamp", + "request_id", + "actor_id", + "_document_id", + "actor", + "repo_id", + "public_repo" + ] }, { "action": "repository_advisory.update", "description": "Someone edited a draft or published security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "repo_id", + "org_id", + "business", + "actor", + "user_agent", + "created_at", + "_document_id", + "business_id", + "repo", + "action", + "operation_type", + "org", + "@timestamp", + "request_id" + ] }, { "action": "repository_branch_protection_evaluation.disable", "description": "Branch protections were disabled for the repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_branch_protection_evaluation.enable", "description": "Branch protections were enabled for this repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_content_analysis.disable", "description": "Data use settings were disabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "user", + "repo_id", + "request_id", + "actor_id", + "created_at", + "user_agent", + "action", + "operation_type", + "actor", + "repo", + "user_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_content_analysis.enable", "description": "Data use settings were enabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "user", + "org", + "user_id", + "repo_id", + "@timestamp", + "request_id", + "actor", + "action", + "operation_type", + "created_at", + "actor_id", + "repo", + "user_agent", + "org_id", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_dependency_graph.disable", "description": "The dependency graph was disabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-fea tures-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "repo_id", + "operation_type", + "user_id", + "repo", + "_document_id", + "actor", + "user", + "action", + "@timestamp", + "org_id", + "actor_id", + "org", + "created_at", + "user_agent", + "request_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-fea, tures-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_dependency_graph.enable", "description": "The dependency graph was enabled for a private repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user", + "org", + "org_id", + "action", + "repo", + "user_id", + "created_at", + "user_agent", + "actor_id", + "repo_id", + "operation_type", + "actor", + "@timestamp", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_image.create", "description": "An image to represent a repository was uploaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", + "action", + "request_id", + "actor", + "content_type", + "repo", + "@timestamp", + "_document_id", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "repository_image.destroy", "description": "An image to represent a repository was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", + "_document_id", + "actor", + "repo_id", + "user_agent", + "repo", + "user", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "repository_invitation.accept", "description": "An invitation to join a repository was accepted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "created_at", + "request_id", + "repo", + "invitee", + "operation_type", + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.cancel", "description": "An invitation to join a repository was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "inviter", + "action", + "operation_type", + "_document_id", + "repo_id", + "repo", + "@timestamp", + "user_agent", + "invitee", + "created_at", + "request_id", + "actor", + "actor_id", + "request_access_security_header" + ] }, { "action": "repository_invitation.create", "description": "An invitation to join a repository was sent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", + "repo", + "created_at", + "user_agent", + "repo_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.reject", "description": "An invitation to join a repository was declined.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "_document_id", + "actor", + "invitee", + "action", + "@timestamp", + "request_id", + "actor_id", + "operation_type", + "created_at", + "inviter", + "user_agent", + "repo_id" + ] }, { "action": "repository_limit.reached", "description": "An organization has reached their repository limit.", "docs_reference_links": "repositories/creating-and-managing-repositories/repository-limits", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "limit", + "count", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "repositories/creating-and-managing-repositories/repository-limits" }, { "action": "repository_limit.warning", "description": "An organization is approaching their repository limit.", "docs_reference_links": "repositories/creating-and-managing-repositories/repository-limits", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "limit", + "count", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "repositories/creating-and-managing-repositories/repository-limits" }, { "action": "repository_projects_change.clear", "description": "The repository projects policy was removed for an organization, or all organizations in the enterprise Organization owners can now control their repository projects settings.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise", + "fields": [ + "request_id", + "created_at", + "_document_id", + "action", + "user_agent", + "user", + "business_id", + "business", + "operation_type", + "actor", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "repository_projects_change.disable", "description": "Repository projects were disabled for a repository, all repositories in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "@timestamp", + "repo", + "action", + "operation_type", + "_document_id", + "actor_id", + "user", + "user_id", + "user_agent", + "repo_id", + "actor", + "request_id", + "programmatic_access_type" + ] }, { "action": "repository_projects_change.enable", "description": "Repository projects were enabled for a repository, all repositories in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "repo_id", + "org", + "request_id", + "user", + "user_agent", + "created_at", + "org_id", + "action", + "user_id", + "operation_type", + "_document_id", + "actor_id", + "repo" + ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { "action": "repository_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning.disable", "description": "Secret scanning was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "public_repo", + "programmatic_access_type" + ], "docs_reference_titles": "About secret scanning" }, { "action": "repository_secret_scanning.enable", "description": "Secret scanning was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "repository_secret_scanning_generic_secrets.disabled", "description": "Generic secrets have been disabled at the repository level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_secret_scanning_generic_secrets.enabled", "description": "Generic secrets have been enabled at the repository level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "repository_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.disable", "description": "Secret scanning push protection was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.enable", "description": "Secret scanning push protection was enabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_security_configuration.applied", "description": "A code security configuration was applied to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.failed", "description": "A code security configuration failed to attach to the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.removed", "description": "A code security configuration was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.removed_by_settings_change", "description": "A code security configuration was removed due to a change in repository or enterprise settings.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_visibility_change.clear", "description": "The repository visibility change setting was cleared for an organization or enterprise.", "docs_reference_links": "/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-changes-to-repository-visibility", + "fields": [ + "created_at", + "_document_id", + "request_id", + "actor_id", + "business", + "action", + "operation_type", + "user", + "user_id", + "business_id", + "@timestamp", + "user_agent", + "actor", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization, Enforcing repository management policies in your enterprise" }, { "action": "repository_visibility_change.disable", "description": "The ability for enterprise members to update a repository's visibility was disabled. Members are unable to change repository visibilities in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "org_id", + "created_at", + "user_agent", + "actor", + "actor_id", + "org", + "operation_type", + "_document_id", + "@timestamp", + "user_id", + "action", + "request_id", + "request_access_security_header" + ] }, { "action": "repository_visibility_change.enable", "description": "The ability for enterprise members to update a repository's visibility was enabled. Members are able to change repository visibilities in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "operation_type", + "_document_id", + "@timestamp", + "user_agent", + "user", + "created_at", + "org", + "org_id", + "action", + "actor_id", + "user_id", + "request_id" + ] }, { "action": "repository_vulnerability_alert.auto_dismiss", "description": "A Dependabot alert was automatically dismissed because its metadata matches an enabled Dependabot rule.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "alert_id", + "alert_number", + "ghsa_id", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "request_access_security_header" + ], "docs_reference_titles": "About Dependabot auto-triage rules" }, { "action": "repository_vulnerability_alert.auto_reopen", "description": "A previously auto-dismissed Dependabot alert was automatically reopened because its metadata no longer matches an enabled Dependabot rule.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "alert_id", + "alert_number", + "ghsa_id", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "request_access_security_header" + ], "docs_reference_titles": "About Dependabot auto-triage rules" }, { "action": "repository_vulnerability_alert.create", "description": "GitHub created a Dependabot alert because the repository uses a vulnerable dependency.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", + "fields": [ + "operation_type", + "request_id", + "repo_id", + "@timestamp", + "user_agent", + "alert_id", + "action", + "repo", + "created_at", + "_document_id", + "token_scopes", + "alert_number", + "programmatic_access_type" + ], "docs_reference_titles": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts" }, { "action": "repository_vulnerability_alert.dismiss", "description": "A Dependabot alert was manually dismissed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "org_id", + "user_id", + "request_id", + "@timestamp", + "operation_type", + "user_agent", + "alert_id", + "actor", + "repo", + "created_at", + "org", + "_document_id", + "action", + "actor_id", + "dismiss_reason", + "user", + "dismiss_comment", + "alert_number", + "actor_is_bot" + ] }, { "action": "repository_vulnerability_alert.reintroduce", "description": "A Dependabot alert was automatically reopened because the repository resumed use of a vulnerable dependency.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "alert_id", + "created_at", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "_document_id", + "@timestamp", + "operation_type", + "token_scopes", + "alert_number" + ] }, { "action": "repository_vulnerability_alert.reopen", "description": "A Dependabot alert was manually reopened.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "alert_id", + "created_at", + "action", + "repo", + "repo_id", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "operation_type", + "business", + "business_id", + "public_repo", + "alert_number", + "request_access_security_header" + ] }, { "action": "repository_vulnerability_alert.resolve", "description": "Changes were pushed to update and resolve a Dependabot alert in a project dependency.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "alert_id", + "repo", + "operation_type", + "action", + "repo_id", + "_document_id", + "user_agent", + "request_id", + "@timestamp", + "created_at", + "actor", + "actor_id", + "token_scopes", + "alert_number", + "programmatic_access_type" + ] }, { "action": "repository_vulnerability_alert.withdraw", "description": "A Dependabot alert was withdrawn.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "alert_id", + "alert_number", + "ghsa_id", + "created_at", + "active", + "action", + "repository_id", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "operation_type" + ] }, { "action": "repository_vulnerability_alerts.authorized_users_teams", "description": "The list of people or teams authorized to receive Dependabot alerts for the repository was updated.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts", + "fields": [ + "org", + "_document_id", + "repo", + "org_id", + "operation_type", + "created_at", + "actor", + "action", + "@timestamp", + "user_agent", + "repo_id", + "request_id", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts" }, { "action": "repository_vulnerability_alerts_auto_dismissal.disable", "description": "Automatic dismissal of low-impact Dependabot alerts was disabled for the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repository_vulnerability_alerts_auto_dismissal.enable", "description": "Automatic dismissal of low-impact Dependabot alerts was enabled for the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_vulnerability_alerts.disable", "description": "Dependabot alerts was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "request_id", + "repo_id", + "action", + "actor_id", + "@timestamp", + "created_at", + "actor", + "user_agent", + "org_id", + "user", + "org", + "_document_id", + "user_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_vulnerability_alerts.enable", "description": "Dependabot alerts was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_agent", + "created_at", + "@timestamp", + "repo_id", + "action", + "user", + "repo", + "org", + "org_id", + "actor_id", + "_document_id", + "user_id", + "operation_type", + "request_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "required_status_check.create", "description": "A status check was marked as required for a protected branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "fields": [ + "org", + "actor_id", + "@timestamp", + "business", + "request_id", + "context", + "repo_id", + "action", + "repo", + "_document_id", + "operation_type", + "business_id", + "org_id", + "actor", + "created_at", + "user_agent", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging" }, { "action": "required_status_check.destroy", "description": "A status check was no longer marked as required for a protected branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "fields": [ + "actor_id", + "actor", + "created_at", + "context", + "operation_type", + "@timestamp", + "request_id", + "org", + "user_agent", + "repo_id", + "org_id", + "action", + "_document_id", + "repo", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging" }, { "action": "restrict_notification_delivery.disable", "description": "Email notification restrictions for an organization or enterprise were disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "restrict_notification_delivery.enable", "description": "Email notification restrictions for an organization or enterprise were enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "role.create", "description": "A new custom repository role was created.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "owner", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "role_permissions", + "old_role_permissions" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "role.destroy", "description": "A custom repository role was deleted.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "role.update", "description": "A custom repository role was edited.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "old_role_permissions", + "old_base_role" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "secret_scanning_alert.create", "description": "GitHub detected a secret and created a secret scanning alert.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning_alert.public_leak", "description": "A secret scanning alert was leaked in a public repo.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "created_at" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning_alert.reopen", "description": "A secret scanning alert was reopened.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type_display_name" + ] }, { "action": "secret_scanning_alert.report", "description": "A leaked secret was reported to the secret's provider by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "created_at", + "secret_type_display_name", + "secret_type_provider", + "report_result" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts" }, { "action": "secret_scanning_alert.resolve", "description": "A secret scanning alert was resolved.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "resolution", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_access_security_header" + ] }, { "action": "secret_scanning_alert.revoke", "description": "A secret scanning alert was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "secret_scanning_alert.validate", "description": "A secret scanning alert was validated.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "previous_validity", + "current_validity", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning_closure_request.approve", "description": "A request to close a secret scanning alert was approved by a user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "request_reviewer_comment", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "secret_scanning_closure_request.cancel", "description": "N/A", "docs_reference_links": "A reqeust to close a secret scanning alert was canceled by a user.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "A, reqeust, to, close, a, secret, scanning, alert, was, canceled, by, a, user." }, { "action": "secret_scanning_closure_request.create", "description": "N/A", "docs_reference_links": "A user requested to close a secret scanning alert.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "reason", + "comment", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "A, user, requested, to, close, a, secret, scanning, alert." }, { "action": "secret_scanning_closure_request.deny", "description": "A request to close a secret scanning alert was denied by a user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "request_reviewer_comment", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "secret_scanning.disable", "description": "Secret scanning was disabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning.enable", "description": "Secret scanning was enabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.disable", "description": "Secret scanning was disabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.enable", "description": "Secret scanning was enabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_push_protection.bypass", "description": "Triggered when a user bypasses the push protection on a secret detected by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#bypassing-push-protection-for-a-secret", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "push_protection_bypass_reason", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_reviewer", + "request_reviewer_id" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.approve", "description": "A request to bypass secret scanning push protection was approved by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.deny", "description": "A request to bypass secret scanning push protection was denied by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header", + "request_reviewer_comment" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.request", "description": "A user requested to bypass secret scanning push protection.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "secret_scanning_scan.completed", "description": "A secret scanning scan has completed on this repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "repo_id", + "org_id", + "business_id", + "source", + "type", + "source_slug", + "type_slug", + "started_at", + "completed_at", + "repo", + "public_repo", + "org", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "secret_types", + "custom_pattern_name", + "custom_pattern_scope" + ], "docs_reference_titles": "About secret scanning" }, { "action": "security_configuration.create", "description": "A security configuration was created", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "security_configuration_default.delete", "description": "A default security configuration setting for new repositories was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "security_configuration_default.update", "description": "A default security configuration setting for new repositories was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "security_configuration.delete", "description": "A security configuration was deleted", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "security_configuration_policy.update", "description": "A security configuration policy was updated", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enforcement", + "security_configuration_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "security_configuration.update", "description": "A security configuration was updated", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "sponsors.agreement_sign", "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.fiscal_host_change", "description": "The fiscal host for a GitHub Sponsors listing was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.invoiced_agreement_sign", "description": "An agreement for invoiced billing for GitHub Sponsors was signed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/paying-for-github-sponsors-by-invoice", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/paying-for-github-sponsors-by-invoice" }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_disable", "description": "A GitHub Sponsors account was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { "action": "sponsors.sponsored_developer_redraft", "description": "A GitHub Sponsors account was returned to draft state from approved state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id", + "actor", + "actor_id", + "user_id" + ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { "action": "sponsors.update_tier_repository", "description": "A GitHub Sponsors tier changed access for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.update_tier_welcome_message", "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.withdraw_agreement_signature", "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ssh_certificate_authority.create", "description": "An SSH certificate authority for an organization or enterprise was created.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "@timestamp", + "_document_id", + "fingerprint", + "operation_type", + "openssh_public_key", + "org_id", + "actor", + "created_at", + "org", + "action", + "user_agent", + "actor_id", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_authority.destroy", "description": "An SSH certificate authority for an organization or enterprise was deleted.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "created_at", + "_document_id", + "fingerprint", + "operation_type", + "actor", + "org_id", + "openssh_public_key", + "org", + "action", + "user_agent", + "actor_id", + "@timestamp", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.disable", "description": "The requirement for members to use SSH certificates to access an organization resources was disabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "user", + "user_agent", + "operation_type", + "_document_id", + "request_id", + "org", + "org_id", + "created_at", + "actor", + "action", + "user_id", + "business", + "business_id", + "@timestamp", + "actor_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.enable", "description": "The requirement for members to use SSH certificates to access an organization resources was enabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "actor_id", + "user_id", + "org", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user", + "action", + "org_id", + "created_at", + "user_agent" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "staff.dependabot_debug_credentials_generated", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "staff.set_domain_token_expiration", "description": "The verification code expiry time for an organization or enterprise domain was set.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "business_id", + "token_expires_at", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "staff.unverify_domain", "description": "An organization or enterprise domain was unverified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "staff.verify_domain", "description": "An organization or enterprise domain was verified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "domain_name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "team.add_member", "description": "A member of an organization was added to a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team", + "fields": [ + "user_agent", + "request_id", + "org_id", + "user_id", + "team", + "user", + "@timestamp", + "actor_id", + "created_at", + "operation_type", + "_document_id", + "org", + "action", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team" }, { "action": "team.add_repository", "description": "A team was given access and permissions to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "team", + "action", + "operation_type", + "request_id", + "created_at", + "@timestamp", + "org", + "repo", + "actor_id", + "_document_id", + "repo_id", + "user_agent", + "org_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "team.change_parent_team", "description": "A child team was created or a child team's parent was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy", + "fields": [ + "org", + "@timestamp", + "created_at", + "_document_id", + "team", + "action", + "operation_type", + "actor", + "request_id", + "actor_id", + "user_agent", + "org_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy" }, { "action": "team.change_privacy", "description": "A team's privacy level was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/changing-team-visibility", + "fields": [ + "user_agent", + "request_id", + "org", + "action", + "team", + "created_at", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "actor", + "_document_id" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility" }, { "action": "team.create", "description": "A new team is created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "org_id", + "user_agent", + "team", + "org", + "actor", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "team.demote_maintainer", "description": "A user was demoted from a team maintainer to a team member.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member" }, { "action": "team.destroy", "description": "A team was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "team", + "org_id", + "actor_id", + "actor", + "action", + "@timestamp", + "user_agent", + "request_id", + "operation_type", + "_document_id", + "programmatic_access_type" + ] }, { "action": "team_discussions.clear", "description": "An organization owner cleared the setting to allow team discussions for an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "business_id", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "actor_id", + "user", + "business", + "action", + "request_id", + "created_at", + "user_id", + "_document_id" + ] }, { "action": "team_discussions.disable", "description": "Team discussions were disabled for an organization.", "docs_reference_links": "/organizations/organizing-members-into-teams/disabling-team-discussions-for-your-organization", + "fields": [ + "org_id", + "action", + "operation_type", + "request_id", + "actor", + "org", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "_document_id" + ], "docs_reference_titles": "Organizations and teams documentation" }, { "action": "team_discussions.enable", "description": "Team discussions were enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "@timestamp", + "action", + "_document_id", + "user_agent", + "user_id", + "business_id", + "request_id", + "user", + "business", + "operation_type", + "actor", + "created_at" + ] }, { "action": "team_group_mapping.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "actor", + "action", + "operation_type", + "team", + "@timestamp", + "actor_id", + "org", + "_document_id", + "org_id", + "user_agent", + "request_id", + "request_access_security_header" + ] }, { "action": "team_group_mapping.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "@timestamp", + "actor_id", + "_document_id", + "team", + "created_at", + "org_id", + "action", + "request_id", + "user_agent", + "actor", + "org", + "request_access_security_header" + ] }, { "action": "team_group_mapping.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "team.promote_maintainer", "description": "A user was promoted from a team member to a team maintainer.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer" }, { "action": "team.remove_member", "description": "An organization member was removed from a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team", + "fields": [ + "request_id", + "operation_type", + "created_at", + "actor_id", + "org", + "org_id", + "team", + "user_id", + "actor", + "user", + "action", + "@timestamp", + "user_agent", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team" }, { "action": "team.remove_repository", "description": "A repository was removed from a team's control.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "org_id", + "repo", + "repo_id", + "action", + "_document_id", + "actor", + "@timestamp", + "actor_id", + "user_agent", + "created_at", + "team", + "org", + "operation_type", + "programmatic_access_type" + ] }, { "action": "team.rename", "description": "A team's name was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "user_agent", + "created_at", + "team", + "operation_type", + "actor_id", + "org", + "action", + "request_id", + "actor", + "org_id", + "@timestamp", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "team_sync_tenant.disabled", "description": "Team synchronization with a tenant was disabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "action", + "created_at", + "actor", + "request_id", + "org_id", + "actor_id", + "operation_type", + "_document_id", + "@timestamp", + "org", + "user_agent" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team_sync_tenant.enabled", "description": "Team synchronization with a tenant was enabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "org_id", + "business_id", + "actor", + "created_at", + "user_agent", + "@timestamp", + "operation_type", + "business", + "actor_id", + "org", + "request_id", + "action", + "_document_id" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team_sync_tenant.update_okta_credentials", "description": "The Okta credentials for team synchronization with a tenant were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "team.update_repository_permission", "description": "A team's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "team", + "org_id", + "@timestamp", + "org", + "_document_id", + "old_permission", + "request_id", + "repo", + "action", + "repo_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "permission", + "new_repo_permission", + "new_repo_base_role", + "old_repo_permission", + "old_repo_base_role", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "vulnerability_alert_rule.create", "description": "A Dependabot rule was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "vulnerability_alert_rule.delete", "description": "A Dependabot rule was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "vulnerability_alert_rule.disable", "description": "A Dependabot rule was disabled for a single repository or disabled by default for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "vulnerability_alert_rule.enable", "description": "A Dependabot rule was enabled for a single repository or enabled by default for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "vulnerability_alert_rule.force_disable", "description": "A Dependabot rule was enabled for an organization and cannot be disabled for its repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "vulnerability_alert_rule.force_enable", "description": "A Dependabot rule was disabled for an organization and cannot be enabled for its repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "vulnerability_alert_rule.update", "description": "A Dependabot rule's conditions, actions, or metadata changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.bypass_protection_rules", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "workflows.cancel_workflow_run", "description": "A workflow run was cancelled.", "docs_reference_links": "/actions/managing-workflow-runs/canceling-a-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "cancelled_at", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Canceling a workflow" }, { "action": "workflows.comment_workflow_job", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.completed_workflow_run", "description": "A workflow status changed to completed. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "completed_at", + "conclusion", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Viewing workflow run history" }, { "action": "workflows.created_workflow_run", "description": "A workflow run was create. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/learn-github-actions/understanding-github-actions#create-an-example-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Understanding GitHub Actions" }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { "action": "workflows.disable_workflow", "description": "A workflow was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.enable_workflow", "description": "A workflow was enabled, after previously being disabled by disable_workflow.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "workflows.pin_workflow", "description": "A workflow was pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.prepared_workflow_job", "description": "A workflow job was started. Includes the list of secrets that were provided to the job. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/using-workflows/events-that-trigger-workflows", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "business_id", + "business", + "workflow_run_id", + "job_name", + "runner_labels", + "is_hosted_runner", + "environment_name", + "secrets_passed", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp", + "runner_owner_type", + "job_workflow_ref", + "calling_workflow_refs", + "calling_workflow_shas", + "imposer_repo" + ], "docs_reference_titles": "Events that trigger workflows" }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.rerun_workflow_run", "description": "A workflow run was re-run.", "docs_reference_links": "/actions/managing-workflow-runs/re-running-workflows-and-jobs", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "rerun_type", + "check_run_id", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Re-running workflows and jobs" }, { "action": "workflows.unpin_workflow", "description": "A workflow was unpinned after previously being pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/ghes-3.17/user.json b/src/audit-logs/data/ghes-3.17/user.json index afe8ec4b2c2a..937791ec8c71 100644 --- a/src/audit-logs/data/ghes-3.17/user.json +++ b/src/audit-logs/data/ghes-3.17/user.json @@ -2,2139 +2,8547 @@ { "action": "account.billing_date_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "operation_type", + "user_agent", + "_document_id", + "created_at", + "action", + "request_id", + "actor", + "actor_id", + "org_id" + ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { "action": "account_recovery_token.confirm", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "token_id", + "user_id", + "user", + "actor", + "operation_type" + ] }, { "action": "account_recovery_token.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "token_id", + "user", + "request_id", + "_document_id", + "user_agent", + "actor", + "user_id", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "account_recovery_token.recover", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "actor", + "user_agent", + "request_id", + "action", + "_document_id", + "user_id", + "token_id" + ] }, { "action": "actions_cache.delete", "description": "A GitHub Actions cache was deleted using the REST API.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "user_id", + "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "artifact.destroy", "description": "A workflow run artifact was manually deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_agent", + "actor_id", + "repo", + "repo_id", + "request_id", + "@timestamp", + "created_at", + "_document_id", + "operation_type", + "programmatic_access_type" + ] }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.lock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "@timestamp", + "actor_id", + "operation_type", + "_document_id", + "request_id", + "actor", + "user", + "user_id", + "user_agent", + "created_at", + "action" + ] }, { "action": "billing.unlock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "operation_type", + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "billing.update_bill_cycle_day", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.security_center_export_code_scanning_metrics", "description": "A CSV export was requested on the \"CodeQL pull request alerts\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.security_center_export_coverage", "description": "A CSV export was requested on the \"Coverage\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.security_center_export_overview_dashboard", "description": "A CSV export was requested on the \"Overview Dashboard\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.security_center_export_risk", "description": "A CSV export was requested on the \"Risk\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "business.set_actions_fork_pr_approvals_policy", "description": "The policy for requiring approvals for workflows from public forks was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "limit", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_fork_pr_workflows_policy", "description": "The policy for fork pull request workflows was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.delete_logs", "description": "Logs in a check suite were deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "actor_id", + "operation_type", + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" + ] }, { "action": "codespaces.allow_permissions", "description": "A codespace using custom permissions from its devcontainer.json file was launched.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "origin_repository", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.connect", "description": "Credentials for a codespace were refreshed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { "action": "codespaces.export_environment", "description": "A codespace was exported to a branch on GitHub.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "codespaces.restore", "description": "A codespace was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.start_environment", "description": "A codespace was started.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "org", + "owner", + "pull_request_id", + "machine_type", + "user_id", + "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "codespaces.suspend_environment", "description": "A codespace was stopped.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "copilot.cfb_seat_added", "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { "action": "copilot.cfb_seat_assignment_refreshed", "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_reused", "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_assignment_unassigned", "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "seat_assignment", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled_by_staff", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.user_access_reinstated", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "owner_type", + "actor_id", + "user_id", + "owner", + "org", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.user_access_revoked", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "owner_type", + "actor_id", + "user_id", + "owner", + "org", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "custom_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_repository_access.repositories_updated", "description": "The repositories that Dependabot can access were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates.enable", "description": "Dependabot security updates were enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates_new_repos.enable", "description": "Dependabot security updates were enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph.enable", "description": "The dependency graph was enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph_new_repos.enable", "description": "The dependency graph was enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.delete", "description": "An environment was deleted.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_secret", "description": "A secret was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "gist.create", "description": "A gist was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "user", + "gist_id", + "@timestamp", + "created_at", + "operation_type", + "user_agent", + "actor", + "actor_id", + "visibility", + "action", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "gist.destroy", "description": "A gist was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "gist_id", + "visibility", + "created_at", + "_document_id", + "user", + "request_id", + "operation_type", + "actor", + "actor_id", + "action", + "user_agent", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "gist.visibility_change", "description": "The visibility of a gist was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "user", + "gist_id", + "actor_id", + "request_id", + "visibility", + "user_id", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "git_signing_ssh_public_key.create", "description": "An SSH key was added to a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "git_signing_ssh_public_key.delete", "description": "An SSH key was removed from a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "explanation", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "github_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "github_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "github_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "gpg_key.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "created_at", + "user_id", + "@timestamp", + "user", + "operation_type", + "_document_id", + "actor", + "action", + "user_agent", + "request_access_security_header" + ] }, { "action": "gpg_key.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor", + "actor_id", + "user", + "action", + "created_at", + "_document_id", + "user_agent", + "@timestamp", + "request_access_security_header" + ] }, { "action": "hook.active_changed", "description": "A hook's active status was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "hook.config_changed", "description": "A hook's configuration was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "name", + "org", + "user_agent", + "request_id", + "hook_id", + "repo", + "repo_id", + "created_at", + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { "action": "hook.destroy", "description": "A hook was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", + "operation_type", + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.events_changed", "description": "A hook's configured events were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "operation_type", + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "integration.create", "description": "A GitHub App was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "@timestamp", + "actor", + "user_agent", + "actor_id", + "request_id", + "name", + "user_id", + "_document_id", + "integration", + "created_at", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration.destroy", "description": "A GitHub App was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "actor_id", + "request_id", + "@timestamp", + "name", + "integration", + "user", + "_document_id", + "action", + "operation_type", + "created_at", + "user_agent" + ] }, { "action": "integration.generate_client_secret", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { "action": "integration.remove_client_secret", "description": "A client secret for a GitHub App was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "integration.revoke_all_tokens", "description": "All user tokens for a GitHub App were requested to be revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.revoke_tokens", "description": "Token(s) for a GitHub App were revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" }, { "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "marketplace_agreement_signature.create", "description": "The GitHub Marketplace Developer Agreement was signed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "actor_id", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "created_at", + "action", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "marketplace_listing.approve", "description": "A listing was approved for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "secondary_category", + "actor", + "primary_category", + "user", + "@timestamp", + "_document_id", + "user_id", + "user_agent", + "operation_type", + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" + ] }, { "action": "marketplace_listing.change_category", "description": "A category for a listing for an app in GitHub Marketplace was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", + "@timestamp", + "integration", + "org_id", + "action", + "org", + "secondary_category", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ] }, { "action": "marketplace_listing.create", "description": "A listing for an app in GitHub Marketplace was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", + "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", + "actor", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "marketplace_listing.delist", "description": "A listing was removed from GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "created_at", + "secondary_category", + "operation_type", + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" + ] }, { "action": "marketplace_listing_plan.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "actor", + "action", + "operation_type", + "marketplace_listing", + "has_free_trial", + "user_agent", + "request_id", + "actor_id", + "yearly_price_in_cents", + "description", + "bullets", + "monthly_price_in_cents", + "marketplace_listing_plan", + "_document_id" + ] }, { "action": "marketplace_listing_plan.publish", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "marketplace_listing_plan", + "marketplace_listing", + "description", + "bullets", + "has_free_trial", + "created_at", + "actor_id", + "operation_type", + "_document_id", + "action", + "user_agent", + "request_id", + "actor", + "monthly_price_in_cents", + "yearly_price_in_cents", + "@timestamp" + ] }, { "action": "marketplace_listing_plan.retire", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "marketplace_listing_plan", + "_document_id", + "request_id", + "description", + "yearly_price_in_cents", + "@timestamp", + "created_at", + "actor_id", + "bullets", + "has_free_trial", + "marketplace_listing", + "user_agent", + "monthly_price_in_cents", + "action", + "operation_type" + ] }, { "action": "marketplace_listing_plan.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "monthly_price_in_cents", + "marketplace_listing", + "_document_id", + "action", + "description", + "bullets", + "yearly_price_in_cents", + "request_id", + "actor_id", + "has_free_trial", + "marketplace_listing_plan", + "user_agent", + "@timestamp", + "operation_type", + "actor", + "created_at" + ] }, { "action": "marketplace_listing.redraft", "description": "A listing was sent back to draft state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", + "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", + "actor", + "created_at", + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" + ] }, { "action": "marketplace_listing.reject", "description": "A listing was not accepted for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "merge_queue.pull_request_dequeued", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "merge_queue.pull_request_queue_jump", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.queue_cleared", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.update_settings", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "metered_billing_configuration.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "_document_id", + "user_id", + "action", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "metered_billing_configuration.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "metered_billing_configuration.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "org", + "created_at", + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" + ] }, { "action": "migration.create", "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org_id", + "_document_id", + "org", + "repo_id", + "action", + "actor", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "oauth_access.create", "description": "An OAuth access token was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, /authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token", + "fields": [ + "_document_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "user", + "user_id", + "created_at", + "action", + "actor_id", + "request_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, Managing your personal access tokens" }, { "action": "oauth_access.destroy", "description": "An OAuth access token was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps", + "fields": [ + "@timestamp", + "user_agent", + "action", + "operation_type", + "_document_id", + "actor", + "created_at", + "user", + "user_id", + "request_id", + "explanation", + "hashed_token", + "actor_id", + "token_scopes", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_access.regenerate", "description": "An OAuth access token was regenerated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "_document_id", + "created_at", + "@timestamp", + "operation_type", + "action", + "user_agent", + "request_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "oauth_application_name" + ] }, { "action": "oauth_access.revoke", "description": "An OAuth access token was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "request_access_security_header", + "hashed_token", + "token_id", + "token_scopes", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "oauth_access.update", "description": "An OAuth access token was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "action", + "@timestamp", + "user", + "user_agent", + "request_access_security_header" + ] }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.generate_client_secret", "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_authorization.create", "description": "An authorization for an OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "operation_type", + "user_agent", + "user_id", + "actor", + "org_id", + "_document_id", + "request_id", + "action", + "@timestamp", + "created_at", + "actor_id", + "user", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_authorization.destroy", "description": "An authorization for an OAuth application was deleted.", "docs_reference_links": "/apps/using-github-apps/reviewing-your-authorized-integrations", + "fields": [ + "user_agent", + "_document_id", + "request_id", + "operation_type", + "@timestamp", + "actor", + "created_at", + "explanation", + "user", + "user_id", + "org_id", + "action", + "actor_id", + "token_scopes", + "actor_is_bot", + "oauth_application_name" + ], "docs_reference_titles": "Reviewing and revoking authorization of GitHub Apps" }, { "action": "oauth_authorization.update", "description": "An authorization for an OAuth application was updated.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "org_id", + "request_id", + "user_id", + "actor", + "actor_id", + "user_agent", + "@timestamp", + "operation_type", + "action", + "user", + "created_at", + "_document_id", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "org.add_member", "description": "A user joined an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "permission", + "_document_id", + "org", + "operation_type", + "request_id", + "actor", + "user", + "@timestamp", + "created_at", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "org.add_outside_collaborator", "description": "An outside collaborator was added to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "inviter", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.advanced_security_disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_disabled_on_all_repos", "description": "GitHub Advanced Security was disabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_on_all_repos", "description": "GitHub Advanced Security was enabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.remove_member", "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "actor_id", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", + "created_at", + "user", + "operation_type", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.security_center_export_code_scanning_metrics", "description": "A CSV export was requested on the CodeQL pull request alerts page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "org.security_center_export_coverage", "description": "A CSV export was requested on the Coverage page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_overview_dashboard", "description": "A CSV export was requested on the Overview Dashboard page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_risk", "description": "A CSV export was requested on the Risk page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "org.update_member", "description": "A person's role was changed from owner to member or member to owner.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "org_id", + "created_at", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "actor_id", + "old_permission", + "permission", + "actor", + "user_agent", + "operation_type", + "org" + ] }, { "action": "org.update_member_repository_creation_permission", "description": "The create repository permission for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "@timestamp", + "request_id", + "actor_id", + "permission", + "created_at", + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" + ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "passkey.register", "description": "A new passkey was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "passkey.remove", "description": "A new passkey was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "payment_method.create", "description": "A new payment method was added, such as a new credit card or PayPal account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", + "_document_id", + "action", + "actor", + "actor_id", + "@timestamp", + "created_at", + "request_access_security_header" + ] }, { "action": "payment_method.remove", "description": "A payment method was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", + "operation_type", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "payment_method.update", "description": "An existing payment method was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", + "@timestamp", + "action", + "actor", + "org", + "user_agent", + "_document_id", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.create", "description": "Triggered when you create a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "personal_access_token.credential_regenerated", "description": "Triggered when you regenerate a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.credential_revoked", "description": "A fine-grained personal access token was revoked by GitHub Advanced Security.", "docs_reference_links": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users", + "fields": [ + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users" }, { "action": "personal_access_token.destroy", "description": "Triggered when you delete a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "explanation", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.update", "description": "A fine-grained personal access token was updated.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens" }, { "action": "premium_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { "action": "project.access", "description": "A project board visibility was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "user_agent", + "operation_type", + "user", + "created_at", + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" + ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { "action": "project_collaborator.add", "description": "A collaborator was added to a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "org", + "org_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "public_project", + "project_name", + "project_role", + "old_project_role", + "request_access_security_header" + ] }, { "action": "project_collaborator.remove", "description": "A collaborator was removed from a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project_collaborator.update", "description": "A project collaborator's permission level was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "public_project", + "project_name", + "collaborator_type", + "project_role", + "old_project_role", + "project_id", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project.create", "description": "A project board was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user", + "_document_id", + "request_id", + "user_id", + "user_agent", + "@timestamp", + "actor_id", + "action", + "created_at", + "actor" + ] }, { "action": "project.delete", "description": "A project board was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "actor_id", + "operation_type", + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" + ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { "action": "project.link", "description": "A repository was linked to a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "action", + "actor_id", + "org_id", + "user_agent", + "request_id", + "actor", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" + ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { "action": "project.rename", "description": "A project board was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", + "@timestamp", + "repo", + "_document_id", + "user_agent", + "org_id", + "business_id", + "actor", + "repo_id", + "org", + "business" + ] }, { "action": "project.unlink", "description": "A repository was unlinked from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "operation_type", + "actor", + "action", + "created_at", + "actor_id", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "org", + "org_id" + ] }, { "action": "project.update_org_permission", "description": "The project's base-level permission for all organization members was changed or removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" + ] }, { "action": "project.update_team_permission", "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org_id", + "operation_type", + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" + ] }, { "action": "project.update_user_permission", "description": "A user was added to or removed from a project board or had their permission level changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "operation_type", + "@timestamp", + "actor_id", + "user", + "user_agent", + "actor", + "created_at", + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" + ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project.visibility_private", "description": "A project's visibility was changed from public to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name" + ] }, { "action": "project.visibility_public", "description": "A project's visibility was changed from private to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name", + "request_access_security_header" + ] }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verify", "description": "A user account's SSH key or a repository's deploy key was verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.change_merge_setting", "description": "Pull request merge options were changed for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", + "@timestamp", + "_document_id", + "actor_id", + "operation_type", + "action", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" }, { "action": "repo.create_actions_secret", "description": "A GitHub Actions secret was created for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { "action": "repo.pages_cname", "description": "A GitHub Pages custom domain was modified in a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "@timestamp", + "visibility", + "repo", + "repo_id", + "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", + "created_at", + "_document_id", + "action", + "operation_type", + "old_cname", + "programmatic_access_type" + ] }, { "action": "repo.pages_create", "description": "A GitHub Pages site was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "_document_id", + "user_id", + "visibility", + "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", + "actor", + "repo", + "programmatic_access_type" + ] }, { "action": "repo.pages_destroy", "description": "A GitHub Pages site was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "user_id", + "action", + "request_id", + "user", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", + "visibility", + "operation_type", + "repo_id", + "programmatic_access_type" + ] }, { "action": "repo.pages_https_redirect_disabled", "description": "HTTPS redirects were disabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "actor_id", + "repo_id", + "_document_id", + "user_agent", + "actor", + "visibility", + "user_id", + "request_id", + "repo", + "@timestamp", + "operation_type", + "action", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_https_redirect_enabled", "description": "HTTPS redirects were enabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "user_id", + "created_at", + "visibility", + "actor", + "actor_id", + "user", + "operation_type", + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" + ] }, { "action": "repo.pages_private", "description": "A GitHub Pages site visibility was changed to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_public", "description": "A GitHub Pages site visibility was changed to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete", "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete_restore", "description": "A GitHub Pages site that was previously soft-deleted was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_source", "description": "A GitHub Pages source was modified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "repo_id", + "user", + "_document_id", + "request_id", + "visibility", + "repo", + "created_at", + "action", + "programmatic_access_type" + ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.remove_integration_secret", "description": "A Codespaces or Dependabot secret was deleted for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "repo.remove_topic", "description": "A topic was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", + "actor", + "business", + "request_id", + "repo", + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" + ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { "action": "repo.restore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "action", + "_document_id", + "actor_id", + "user", + "operation_type", + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" + ] }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "repo.staff_unlock", "description": "An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "created_at", + "actor", + "repo_id", + "action", + "org", + "org_id", + "request_id", + "repo", + "operation_type" + ] }, { "action": "repo.temporary_access_granted", "description": "Temporary access was enabled for a repository.", "docs_reference_links": "/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing user-owned repositories in your enterprise" }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { "action": "repo.transfer_outgoing", "description": "A repository was transferred to another repository network.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.transfer_start", "description": "A user sent a request to transfer a repository to another user or organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "operation_type", + "user_id", + "request_id", + "user", + "action", + "user_agent", + "created_at", + "actor", + "visibility", + "repo_id", + "actor_id", + "repo", + "request_access_security_header" + ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.update_actions_access_settings", "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "old_policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.update_actions_settings", "description": "A repository administrator changed GitHub Actions policy settings for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.update_default_branch", "description": "The default branch for a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.update_member", "description": "A user's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "_document_id", + "actor", + "repo_id", + "created_at", + "oauth_application_id", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", + "visibility", + "old_permission", + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_image.create", "description": "An image to represent a repository was uploaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", + "action", + "request_id", + "actor", + "content_type", + "repo", + "@timestamp", + "_document_id", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "repository_image.destroy", "description": "An image to represent a repository was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", + "_document_id", + "actor", + "repo_id", + "user_agent", + "repo", + "user", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "repository_invitation.accept", "description": "An invitation to join a repository was accepted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "created_at", + "request_id", + "repo", + "invitee", + "operation_type", + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.cancel", "description": "An invitation to join a repository was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "inviter", + "action", + "operation_type", + "_document_id", + "repo_id", + "repo", + "@timestamp", + "user_agent", + "invitee", + "created_at", + "request_id", + "actor", + "actor_id", + "request_access_security_header" + ] }, { "action": "repository_invitation.create", "description": "An invitation to join a repository was sent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", + "repo", + "created_at", + "user_agent", + "repo_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.reject", "description": "An invitation to join a repository was declined.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "_document_id", + "actor", + "invitee", + "action", + "@timestamp", + "request_id", + "actor_id", + "operation_type", + "created_at", + "inviter", + "user_agent", + "repo_id" + ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { "action": "security_key.register", "description": "A security key was registered for an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "created_at", + "user_id", + "action", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user_agent", + "request_access_security_header" + ] }, { "action": "security_key.remove", "description": "A security key was removed from an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "operation_type", + "_document_id", + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "action", + "created_at", + "user", + "request_access_security_header" + ] }, { "action": "sponsors.agreement_sign", "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.fiscal_host_change", "description": "The fiscal host for a GitHub Sponsors listing was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_disable", "description": "A GitHub Sponsors account was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { "action": "sponsors.sponsored_developer_redraft", "description": "A GitHub Sponsors account was returned to draft state from approved state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id", + "actor", + "actor_id", + "user_id" + ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsored_developer_update_newsletter_send", "description": "Triggered when you send an email update to your sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors", + "fields": [ + "request_id", + "actor", + "action", + "user_agent", + "operation_type", + "_document_id", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { "action": "sponsors.update_tier_repository", "description": "A GitHub Sponsors tier changed access for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.update_tier_welcome_message", "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.waitlist_join", "description": "You join the waitlist to join GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "request_id", + "actor", + "user_id", + "user_agent", + "actor_id", + "action", + "operation_type", + "created_at", + "user", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.withdraw_agreement_signature", "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "successor_invitation.accept", "description": "Triggered when you accept a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.cancel", "description": "Triggered when you cancel a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.create", "description": "Triggered when you create a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.decline", "description": "Triggered when you decline a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "successor_invitation.revoke", "description": "Triggered when you revoke a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "trusted_device.register", "description": "A new trusted device was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "trusted_device.remove", "description": "A trusted device was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "two_factor_account_recovery.abort", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "action", + "request_id", + "user_id", + "@timestamp", + "_document_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "two_factor_account_recovery.complete", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "created_at", + "user_id", + "operation_type", + "user", + "_document_id", + "user_agent", + "action" + ] }, { "action": "two_factor_account_recovery.ignore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "created_at", + "user_id", + "operation_type", + "@timestamp", + "user", + "action" + ] }, { "action": "two_factor_account_recovery.staff_approve", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "action", + "_document_id" + ] }, { "action": "two_factor_account_recovery.staff_decline", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user", + "created_at", + "request_id", + "actor_id", + "_document_id" + ] }, { "action": "two_factor_account_recovery.start", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "user_id", + "action", + "_document_id", + "request_access_security_header" + ] }, { "action": "two_factor_account_recovery.two_factor_destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "user", + "_document_id", + "request_id" + ] }, { "action": "two_factor_authentication.add_factor", "description": "A secondary authentication factor was added to a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.disabled", "description": "Two-factor authentication was disabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/disabling-two-factor-authentication-for-your-personal-account", + "fields": [ + "actor", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "actor_id", + "created_at", + "operation_type", + "request_id", + "@timestamp", + "request_access_security_header" + ], "docs_reference_titles": "Disabling two-factor authentication for your personal account" }, { "action": "two_factor_authentication.enabled", "description": "Two-factor authentication was enabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "operation_type", + "user_agent", + "action", + "created_at", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Configuring two-factor authentication" }, { "action": "two_factor_authentication.password_reset_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user", + "user_id", + "action", + "@timestamp", + "request_id", + "_document_id", + "user_agent" + ] }, { "action": "two_factor_authentication.recovery_codes_regenerated", "description": "Two factor recovery codes were regenerated for a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "action", + "user", + "user_agent", + "actor_id", + "@timestamp", + "created_at" + ] }, { "action": "two_factor_authentication.remove_factor", "description": "A secondary authentication factor was removed from a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.sign_in_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "operation_type", + "user_id", + "user", + "user_agent", + "created_at", + "_document_id", + "action", + "@timestamp" + ] }, { "action": "two_factor_authentication.update_fallback", "description": "The two-factor authentication fallback for a user account was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "user", + "user_id", + "operation_type", + "user_agent", + "action", + "request_id", + "actor", + "actor_id" + ] }, { "action": "user.add_email", "description": "An email address was added to a user account.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account", + "fields": [ + "action", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "_document_id", + "actor_id", + "actor", + "email", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account" }, { "action": "user.async_delete", "description": "An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "created_at", + "user", + "@timestamp", + "_document_id", + "request_id", + "actor_id", + "operation_type", + "user_agent", + "action", + "request_access_security_header" + ] }, { "action": "user.audit_log_export", "description": "Audit log entries were exported.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "action", + "request_id", + "actor", + "@timestamp", + "_document_id", + "user_agent", + "user_id", + "operation_type", + "created_at" + ] }, { "action": "user.block_user", "description": "A user was blocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_id", + "_document_id", + "actor_id", + "@timestamp", + "user_agent", + "user", + "request_id", + "blocked_user", + "operation_type", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.change_password", "description": "A user changed their password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "actor", + "user", + "user_id", + "action", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.codespaces_trusted_repo_access_granted", "description": "Triggered when you allow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.codespaces_trusted_repo_access_revoked", "description": "Triggered when you disallow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.create", "description": "A new user account was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "email", + "user_id", + "operation_type", + "@timestamp", + "request_id", + "user", + "created_at", + "_document_id", + "user_agent", + "actor", + "actor_id", + "action", + "programmatic_access_type" + ] }, { "action": "user.create_integration_secret", "description": "A user secret for Codespaces was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.creation_rate_limit_exceeded", "description": "The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "user_agent", + "_document_id", + "operation_type", + "oauth_application_id", + "action", + "actor", + "actor_id", + "request_id", + "user_id", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.delete", "description": "A user account was destroyed by an asynchronous job.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "user_id", + "actor", + "actor_id", + "user", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.demote", "description": "A site administrator was demoted to an ordinary user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "oauth_application_id", + "action", + "user", + "created_at", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "_document_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.destroy", "description": "A user deleted his or her account, triggering user.async_delete.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "user", + "_document_id", + "created_at", + "user_agent", + "user_id", + "operation_type", + "actor_id", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.device_verification_failure", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user", + "user_agent", + "user_id", + "actor_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.device_verification_requested", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user_id", + "actor", + "operation_type", + "created_at", + "_document_id", + "@timestamp", + "user", + "actor_id", + "action", + "request_access_security_header" + ] }, { "action": "user.device_verification_success", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user", + "_document_id", + "action", + "operation_type", + "user_agent", + "created_at", + "request_id", + "actor", + "actor_id", + "user_id", + "request_access_security_header" + ] }, { "action": "user.disable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user_email.confirm_claim", "description": "An enterprise managed user claimed an email address.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "user_email.mark_as_unclaimed", "description": "N/A", "docs_reference_links": "An enterprise managed user unclaimed an email address.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "An, GitHub Help Documentation, managed, user, unclaimed, an, email, address." }, { "action": "user.enable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.failed_login", "description": "A user tried to sign in with an incorrect username, password, or two-factor authentication code.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "operation_type", + "request_id", + "created_at", + "_document_id", + "@timestamp", + "user", + "org_id", + "actor", + "actor_id", + "user_agent" + ] }, { "action": "user.forgot_password", "description": "A user requested a password reset.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials", + "fields": [ + "action", + "_document_id", + "user_agent", + "request_id", + "user", + "operation_type", + "@timestamp", + "email", + "created_at", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials" }, { "action": "user.grant_github_developer", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "created_at", + "user_agent", + "@timestamp", + "_document_id", + "user", + "user_id", + "actor", + "operation_type", + "request_id" + ] }, { "action": "user.hide_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.login", "description": "A user signed in.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user_id", + "actor_id", + "@timestamp", + "user", + "action", + "operation_type", + "_document_id", + "request_id", + "created_at", + "actor", + "passkey_nickname", + "request_access_security_header" + ] }, { "action": "user.logout", "description": "A user signed out.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.new_device_used", "description": "A user signed in from a new device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "action", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ] }, { "action": "user.promote", "description": "An ordinary user account was promoted to a site administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "actor", + "actor_id", + "user", + "@timestamp", + "created_at", + "user_agent", + "oauth_application_id", + "request_id", + "operation_type", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.recreate", "description": "A user's account was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user", + "action", + "actor_id", + "@timestamp", + "_document_id", + "request_id", + "user_id", + "created_at", + "actor", + "operation_type" + ] }, { "action": "user.remove_email", "description": "An email address was removed from a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "@timestamp", + "_document_id", + "request_id", + "user", + "user_id", + "operation_type", + "actor", + "actor_id", + "created_at", + "email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.remove_integration_secret", "description": "A user secret for Codespaces was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.rename", "description": "A username was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "request_id", + "actor_id", + "old_login", + "created_at", + "_document_id", + "actor", + "user_id", + "@timestamp", + "operation_type", + "user_agent", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.reset_password", "description": "A user reset their account password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "user", + "request_id", + "user_id", + "created_at", + "@timestamp", + "_document_id", + "actor", + "operation_type", + "request_access_security_header" + ] }, { "action": "user_session.country_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_id", + "action", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "user.show_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "@timestamp", + "_document_id", + "request_id", + "user_id", + "action", + "actor", + "user", + "operation_type", + "user_agent", + "actor_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.sign_in_from_unrecognized_device", "description": "A user signed in from an unrecognized device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "operation_type", + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.sign_in_from_unrecognized_device_and_location", "description": "A user signed in from an unrecognized device and location.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "request_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user_status.destroy", "description": "Triggered when you clear the status on your profile.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_id", + "actor", + "message", + "user", + "actor_id", + "created_at", + "request_id", + "limited_availability", + "action", + "emoji", + "operation_type", + "user_agent", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user_status.update", "description": "Triggered when you set or change the status on your profile.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status", + "fields": [ + "limited_availability", + "user", + "action", + "actor_id", + "message", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "emoji", + "org", + "actor", + "operation_type", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status" }, { "action": "user.suspend", "description": "A user account was suspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "operation_type", + "actor_id", + "user", + "user_agent", + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user_id", + "action", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.toggle_warn_private_email", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user", + "actor_id", + "@timestamp", + "operation_type", + "_document_id", + "user_agent", + "actor", + "action", + "user_id", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_failure", "description": "A 2FA challenge issued for a user account failed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "_document_id", + "user_agent", + "user", + "actor_id", + "actor", + "user_id", + "@timestamp", + "action", + "request_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_success", "description": "A 2FA challenge issued for a user account succeeded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_id", + "operation_type", + "actor_id", + "user", + "actor", + "user_agent", + "request_id", + "action", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_recover", "description": "A user used their 2FA recovery codes.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "user_agent", + "request_id", + "user", + "action", + "actor", + "actor_id", + "created_at", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_downloaded", "description": "A user downloaded 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "actor_id", + "user", + "request_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_printed", "description": "A user printed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "user_agent", + "request_id", + "user_id", + "created_at", + "_document_id", + "actor", + "actor_id", + "@timestamp" + ] }, { "action": "user.two_factor_recovery_codes_viewed", "description": "A user viewed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_agent", + "actor", + "user_id", + "action", + "created_at", + "user", + "operation_type", + "@timestamp", + "request_id", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_requested", "description": "A user was prompted for a two-factor authentication code.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication", + "fields": [ + "user", + "actor_id", + "action", + "user_agent", + "request_id", + "created_at", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "actor" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication" }, { "action": "user.unblock_user", "description": "A user was unblocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "_document_id", + "blocked_user", + "operation_type", + "actor", + "@timestamp", + "user_agent", + "user_id", + "user", + "created_at", + "request_access_security_header" + ] }, { "action": "user.unsuspend", "description": "A user account was unsuspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "user", + "action", + "user_agent", + "actor", + "oauth_application_id", + "operation_type", + "actor_id", + "created_at", + "@timestamp", + "user_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.update_integration_secret", "description": "A user secret for Codespaces was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.update_new_repository_default_branch_setting", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.bypass_protection_rules", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "workflows.comment_workflow_job", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { "action": "workflows.disable_workflow", "description": "A workflow was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.enable_workflow", "description": "A workflow was enabled, after previously being disabled by disable_workflow.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "workflows.pin_workflow", "description": "A workflow was pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.unpin_workflow", "description": "A workflow was unpinned after previously being pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/ghes-3.18/enterprise.json b/src/audit-logs/data/ghes-3.18/enterprise.json index 65ee72b262a8..0ccdcc86fd76 100644 --- a/src/audit-logs/data/ghes-3.18/enterprise.json +++ b/src/audit-logs/data/ghes-3.18/enterprise.json @@ -2,4402 +2,17712 @@ { "action": "account.billing_date_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "operation_type", + "user_agent", + "_document_id", + "created_at", + "action", + "request_id", + "actor", + "actor_id", + "org_id" + ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { "action": "account_recovery_token.confirm", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "token_id", + "user_id", + "user", + "actor", + "operation_type" + ] }, { "action": "account_recovery_token.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "token_id", + "user", + "request_id", + "_document_id", + "user_agent", + "actor", + "user_id", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "account_recovery_token.recover", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "actor", + "user_agent", + "request_id", + "action", + "_document_id", + "user_id", + "token_id" + ] }, { "action": "actions_cache.delete", "description": "A GitHub Actions cache was deleted using the REST API.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "user_id", + "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "api.request", "description": "An API request was made to an endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests", + "fields": [ + "user_agent", + "request_id", + "request_method", + "query_string", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "request_body", + "status_code", + "url_path", + "business", + "business_id", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "route", + "rate_limit_remaining", + "actor_is_bot" + ], "docs_reference_titles": "Streaming the audit log for your enterprise" }, { "action": "artifact.destroy", "description": "A workflow run artifact was manually deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_agent", + "actor_id", + "repo", + "repo_id", + "request_id", + "@timestamp", + "created_at", + "_document_id", + "operation_type", + "programmatic_access_type" + ] }, { "action": "audit_log_streaming.check", "description": "A manual check of the endpoint configured for audit log streaming was performed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "audit_log_stream_result", + "business_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "audit_log_stream_sink_details", + "request_access_security_header" + ] }, { "action": "audit_log_streaming.create", "description": "An endpoint was added for audit log streaming.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business_id", + "business", + "audit_log_stream_sink", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "audit_log_stream_id" + ] }, { "action": "audit_log_streaming.destroy", "description": "An audit log streaming endpoint was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "audit_log_stream_id", + "audit_log_stream_sink_details" + ] }, { "action": "audit_log_streaming.update", "description": "An endpoint configuration was updated for audit log streaming, such as the stream was paused, enabled, or disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "audit_log_stream_enabled", + "business_id", + "business", + "audit_log_stream_sink", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "new_s3_bucket", + "old_s3_bucket", + "secrets_updated", + "new_s3_arn_role", + "old_s3_arn_role", + "new_azure_blob_container", + "old_azure_blob_container", + "new_event_hub_instance", + "old_event_hub_instance", + "new_splunk_domain", + "old_splunk_domain", + "ssl_verify", + "old_gc_bucket" + ] }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.lock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "@timestamp", + "actor_id", + "operation_type", + "_document_id", + "request_id", + "actor", + "user", + "user_id", + "user_agent", + "created_at", + "action" + ] }, { "action": "billing.unlock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "operation_type", + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "billing.update_bill_cycle_day", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.add_admin", "description": "An enterprise owner was added to an enterprise.", "docs_reference_links": "/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise", + "fields": [ + "name", + "business", + "user", + "user_id", + "@timestamp", + "created_at", + "actor", + "actor_id", + "action", + "operation_type", + "request_id", + "business_id", + "_document_id", + "user_agent", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Inviting people to manage your enterprise" }, { "action": "business.add_organization", "description": "An organization was added to an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "operation_type", + "@timestamp", + "actor", + "business_id", + "org", + "action", + "user_agent", + "actor_id", + "name", + "created_at", + "request_id", + "_document_id", + "business", + "organization_upgrade", + "request_access_security_header" + ] }, { "action": "business_advanced_security.disabled", "description": "GitHub Advanced Security was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.disabled_for_new_user_namespace_repos", "description": "GitHub Advanced Security was disabled for new user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.enabled", "description": "GitHub Advanced Security was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.enabled_for_new_user_namespace_repos", "description": "GitHub Advanced Security was enabled for new user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business.advanced_security_policy_update", "description": "An enterprise owner created, updated, or removed a policy for GitHub Advanced Security.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "business.advanced_security_repo_admin_enablement_policy_update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business_advanced_security.user_namespace_repos_disabled", "description": "GitHub Advanced Security was disabled for user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_advanced_security.user_namespace_repos_enabled", "description": "GitHub Advanced Security was enabled for user namespace repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business.clear_actions_settings", "description": "An enterprise owner or site administrator cleared GitHub Actions policy settings for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.clear_default_repository_permission", "description": "An enterprise owner cleared the base repository permission policy setting for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-base-repository-permissions", + "fields": [ + "name", + "operation_type", + "business_id", + "user_agent", + "actor_id", + "request_id", + "actor", + "_document_id", + "business", + "action", + "@timestamp", + "created_at" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.clear_members_can_create_repos", "description": "An enterprise owner cleared a restriction on repository creation in organizations in the enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#setting-a-policy-for-repository-creation", + "fields": [ + "user_agent", + "actor_id", + "business_id", + "action", + "_document_id", + "request_id", + "name", + "business", + "visibility", + "created_at", + "actor", + "operation_type", + "@timestamp" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.code_scanning_autofix_policy_update", "description": "The policy for Code scanning autofix was updated for an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.code_scanning_autofix_third_party_tools_policy_update", "description": "The policy for Code scanning autofix third party tools was updated for an enterprise.", "docs_reference_links": "/code-security/getting-started/github-security-features#available-with-github-code-security", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#available-with-github-code-security" }, { "action": "business.code_security_enablement_policy_update", "description": "The policy for Code Security enablement was updated for an enterprise.", "docs_reference_links": "/code-security/getting-started/github-security-features#available-with-github-code-security", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#available-with-github-code-security" }, { "action": "business.create", "description": "An enterprise was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "_document_id", + "action", + "@timestamp", + "request_id", + "name", + "business", + "business_id", + "operation_type", + "actor", + "created_at", + "user_agent", + "request_access_security_header" + ] }, { "action": "business_dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for new repositories in your enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business_dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for new repositories in your enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.dependabot_alerts_repo_admin_enablement_policy_update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.disable_open_scim", "description": "SCIM provisioning for custom integrations that use the REST API was disabled for the enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business.disable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the enterprise was disabled.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Displaying IP addresses in the audit log for your enterprise" }, { "action": "business.disable_two_factor_requirement", "description": "The requirement for members to have two-factor authentication enabled to access an enterprise was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "@timestamp", + "actor", + "business", + "operation_type", + "created_at", + "user_agent", + "business_id", + "actor_id", + "name", + "_document_id", + "request_id" + ] }, { "action": "business.enable_open_scim", "description": "SCIM provisioning for custom integrations that use the REST API was enabled for the enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.enable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the enterprise was enabled.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Displaying IP addresses in the audit log for your enterprise" }, { "action": "business.enable_two_factor_requirement", "description": "The requirement for members to have two-factor authentication enabled to access an enterprise was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "actor", + "operation_type", + "created_at", + "business", + "business_id", + "name", + "_document_id", + "request_id", + "@timestamp" + ] }, { "action": "business.members_can_update_protected_branches.clear", "description": "An enterprise owner unset a policy for whether members of an enterprise can update protected branches on repositories for individual organizations. Organization owners can choose whether to allow updating protected branches settings.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_id", + "business", + "name", + "operation_type", + "user", + "user_agent", + "business_id", + "_document_id" + ] }, { "action": "business.members_can_update_protected_branches.disable", "description": "The ability for enterprise members to update branch protection rules was disabled. Only enterprise owners can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "business.members_can_update_protected_branches.enable", "description": "The ability for enterprise members to update branch protection rules was enabled. Enterprise owners and members can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "actor", + "operation_type", + "_document_id", + "business_id", + "user", + "@timestamp", + "business", + "actor_id", + "created_at", + "action", + "user_agent", + "request_id", + "user_id" + ] }, { "action": "business.remove_admin", "description": "An enterprise owner was removed from an enterprise.", "docs_reference_links": "/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise", + "fields": [ + "actor", + "operation_type", + "user_agent", + "business", + "business_id", + "@timestamp", + "created_at", + "request_id", + "action", + "name", + "actor_id", + "user_id", + "_document_id", + "user" + ], "docs_reference_titles": "Inviting people to manage your enterprise" }, { "action": "business.remove_organization", "description": "An organization was removed from an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "action", + "business", + "actor", + "actor_id", + "request_id", + "created_at", + "user_agent", + "business_id", + "operation_type", + "@timestamp", + "_document_id", + "name", + "org" + ] }, { "action": "business.rename_slug", "description": "The slug for the enterprise URL was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "name", + "business_id", + "user_agent", + "action", + "actor_id", + "operation_type", + "actor", + "@timestamp", + "created_at", + "business", + "_document_id" + ] }, { "action": "business.revoke_sso_session", "description": "The SAML single sign-on session for a member in an enterprise was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "business_id", + "user_agent", + "request_id", + "user", + "operation_type", + "actor", + "_document_id", + "actor_id", + "name", + "@timestamp", + "user_id", + "action", + "created_at", + "business" + ] }, { "action": "business_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the business level", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the business level", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_custom_pattern.create", "description": "An enterprise-level custom pattern was created for secret scanning.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "business_secret_scanning_custom_pattern.delete", "description": "An enterprise-level custom pattern was removed from secret scanning.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business_secret_scanning_custom_pattern.publish", "description": "An enterprise-level custom pattern was published for secret scanning.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your enterprise.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "business_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your enterprise.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "business_secret_scanning_custom_pattern.update", "description": "Changes to an enterprise-level custom pattern were saved and a dry run was executed for secret scanning.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business_secret_scanning.disable", "description": "Secret scanning was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning.disabled_for_new_repos", "description": "Secret scanning was disabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning.enable", "description": "Secret scanning was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning.enabled_for_new_repos", "description": "Secret scanning was enabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the enterprise level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "business_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the enterprise level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "business_secret_scanning_push_protection_custom_message.disable", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_custom_message.enable", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_custom_message.update", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.disable", "description": "Push protection for secret scanning was disabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.disabled_for_new_repos", "description": "Push protection for secret scanning was disabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.enable", "description": "Push protection for secret scanning was enabled for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection.enabled_for_new_repos", "description": "Push protection for secret scanning was enabled for new repositories in your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed", "description": "The push protection setting was changed for a secret type for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "secret_type", + "secret_type_display_name", + "push_protection_setting" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your enterprise.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "business.secret_scanning_repo_admin_settings_policy_update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "new_policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "business.security_center_export_code_scanning_metrics", "description": "A CSV export was requested on the \"CodeQL pull request alerts\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.security_center_export_coverage", "description": "A CSV export was requested on the \"Coverage\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.security_center_export_overview_dashboard", "description": "A CSV export was requested on the \"Overview Dashboard\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.security_center_export_risk", "description": "A CSV export was requested on the \"Risk\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "business.set_actions_fork_pr_approvals_policy", "description": "The policy for requiring approvals for workflows from public forks was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "limit", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_fork_pr_workflows_policy", "description": "The policy for fork pull request workflows was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.sso_response", "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your enterprise. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "issuer", + "name", + "user_agent", + "action", + "@timestamp", + "_document_id", + "actor", + "business", + "business_id", + "actor_id", + "created_at", + "request_id", + "operation_type", + "request_access_security_header" + ] }, { "action": "business.update_actions_settings", "description": "An enterprise owner or site administrator updated GitHub Actions policy settings for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "updated_github_owned_allowed", + "updated_verified_allowed", + "updated_patterns", + "new_policy", + "old_policy", + "updated_access_policy" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.update_default_repository_permission", "description": "The base repository permission setting was updated for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-base-repository-permissions", + "fields": [ + "business_id", + "operation_type", + "user_agent", + "actor", + "actor_id", + "permission", + "action", + "created_at", + "@timestamp", + "request_id", + "name", + "_document_id", + "old_permission", + "business" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.update_member_repository_creation_permission", "description": "The repository creation setting was updated for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-creation", + "fields": [ + "created_at", + "_document_id", + "request_id", + "name", + "business_id", + "actor", + "actor_id", + "@timestamp", + "operation_type", + "permission", + "action", + "business", + "user_agent", + "visibility" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "business.update_member_repository_invitation_permission", "description": "The policy setting for enterprise members inviting outside collaborators to repositories was updated.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-inviting-outside-collaborators-to-repositories", + "fields": [ + "business_id", + "created_at", + "action", + "operation_type", + "@timestamp", + "request_id", + "permission", + "actor", + "actor_id", + "name", + "_document_id", + "user_agent", + "business" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.delete_logs", "description": "Logs in a check suite were deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "actor_id", + "operation_type", + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" + ] }, { "action": "code_scanning.alert_appeared_in_branch", "description": "Existing code scanning alerts appeared in a branch.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_became_fixed", "description": "Code scanning alerts were fixed.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_became_outdated", "description": "Code scanning alerts were closed as outdated (all configurations they were detected in were deleted).", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_numbers", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_by_user", "description": "Code scanning alerts were manually dismissed.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "actor_id", + "request_id", + "actor", + "org_id", + "org", + "business_id", + "business", + "alert_numbers", + "dismissal_approver_id" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_approved", "description": "Dismissal of code scanning alerts was approved.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_denied", "description": "Dismissal of code scanning alerts was denied.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_requested", "description": "Dismissal of code scanning alerts was requested.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_created", "description": "Code scanning alerts were seen for the first time.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_reappeared", "description": "Code scanning alerts that were previously fixed reappeared.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_reopened_by_user", "description": "Code scanning alerts that were previously dismissed were reopened.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "actor_id", + "request_id", + "actor", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code.search", "description": "A code search was run targeting an organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/search-github/github-code-search", + "fields": [ + "@timestamp", + "action", + "actor_id", + "business_id", + "query", + "org_id", + "user_id", + "_document_id", + "search_string" + ], "docs_reference_titles": "/search-github/github-code-search" }, { "action": "codespaces.allow_permissions", "description": "A codespace using custom permissions from its devcontainer.json file was launched.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "origin_repository", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.connect", "description": "Credentials for a codespace were refreshed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { "action": "codespaces.export_environment", "description": "A codespace was exported to a branch on GitHub.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "codespaces.restore", "description": "A codespace was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.start_environment", "description": "A codespace was started.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "org", + "owner", + "pull_request_id", + "machine_type", + "user_id", + "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "codespaces.suspend_environment", "description": "A codespace was stopped.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "copilot.cfb_seat_added", "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { "action": "copilot.cfb_seat_assignment_refreshed", "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_reused", "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_assignment_unassigned", "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "seat_assignment", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled_by_staff", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.swe_agent_repo_disabled", "description": "Specific repositories were disabled from using Copilot coding agent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "owner_type", + "actor_id", + "owner", + "repo", + "repo_id", + "public_repo", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.swe_agent_repo_enabled", "description": "Specific repositories were enabled to use Copilot coding agent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "org_id", + "owner_type", + "owner", + "repo", + "repo_id", + "public_repo", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.swe_agent_repo_enablement_updated", "description": "Copilot coding agent access was updated for the organization's or user's repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "new_access", + "old_access", + "org_id", + "owner_type", + "owner", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_property_definition.create", "description": "A new custom property definition was created.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.destroy", "description": "A custom property definition was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id", + "allowed_values" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.update", "description": "A custom property definition was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "value_type", + "required", + "default_value", + "old_allowed_values", + "allowed_values", + "definition_id", + "old_required", + "old_default_value", + "old_value_type", + "old_values_editable_by", + "values_editable_by", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.create", "description": "A repository's custom property value was manually set for the first time.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "definition_id", + "property_name", + "value", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.destroy", "description": "A repository's custom property value was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.update", "description": "A repository's custom property value was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_repository_access.default_access_level_updated", "description": "The default repository access for Dependabot was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "org", + "org_id", + "access_level", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "dependabot_repository_access.repositories_updated", "description": "The repositories that Dependabot can access were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates.enable", "description": "Dependabot security updates were enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates_new_repos.enable", "description": "Dependabot security updates were enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph.enable", "description": "The dependency graph was enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph_new_repos.enable", "description": "The dependency graph was enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "discussion_post.destroy", "description": "Triggered when a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "request_id", + "team", + "created_at", + "user_id", + "@timestamp", + "number", + "org", + "title", + "actor", + "actor_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.destroy", "description": "Triggered when a reply to a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "actor_id", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user_id", + "actor", + "number", + "user", + "created_at", + "request_id", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.update", "description": "Triggered when a reply to a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "action", + "_document_id", + "request_id", + "org", + "@timestamp", + "actor_id", + "operation_type", + "user", + "user_id", + "org_id", + "user_agent", + "actor", + "number", + "team", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "discussion_post.update", "description": "Triggered when a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "created_at", + "_document_id", + "title", + "user", + "user_agent", + "org", + "operation_type", + "actor_id", + "@timestamp", + "actor", + "team", + "action", + "org_id", + "request_id", + "user_id", + "number" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "enterprise_announcement.create", "description": "A global announcement banner was created for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global-announcement-banner", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.destroy", "description": "A global announcement banner was removed from the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.update", "description": "A global announcement banner was updated for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "old_message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "enterprise_domain.approve", "description": "A domain was approved for an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#approving-a-domain-for-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_domain.create", "description": "A domain was added to an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#verifying-a-domain-for-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_domain.destroy", "description": "A domain was removed from an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#removing-an-approved-or-verified-domain", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise_domain.verify", "description": "A domain was verified for an enterprise.", "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#verifying-a-domain-for-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Verifying or approving a domain for your enterprise" }, { "action": "enterprise.register_self_hosted_runner", "description": "A new GitHub Actions self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "enterprise.remove_self_hosted_runner", "description": "A GitHub Actions self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "enterprise.runner_group_created", "description": "A GitHub Actions self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "enterprise.runner_group_removed", "description": "A GitHub Actions self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "enterprise.runner_group_runner_removed", "description": "The REST API was used to remove a GitHub Actions self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "enterprise.runner_group_runners_added", "description": "A GitHub Actions self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "enterprise.runner_group_runners_updated", "description": "A GitHub Actions runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "enterprise.runner_group_updated", "description": "The configuration of a GitHub Actions self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "enterprise.self_hosted_runner_offline", "description": "The GitHub Actions runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "business_id", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "enterprise.self_hosted_runner_online", "description": "The GitHub Actions runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "business_id", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "enterprise.self_hosted_runner_updated", "description": "The GitHub Actions runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "business_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "enterprise_team.add_member", "description": "A new member was added to the enterprise team or an IdP group linked to an enterprise team, or an IdP group was linked to an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "user", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "enterprise_team.copilot_assignment", "description": "A license for GitHub Copilot was assigned to an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "enterprise_team.copilot_unassignment", "description": "A license for GitHub Copilot was unassigned from an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "enterprise_team.create", "description": "A new enterprise team was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "enterprise_team.destroy", "description": "An enterprise team was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "enterprise_team.remove_member", "description": "A member was removed from the enterprise team or an IdP group linked to an enterprise team, or an IdP group was unlinked from an enterprise team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "business_id", + "enterprise_team_id", + "enterprise_team", + "user", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "enterprise_team.rename", "description": "The name of an enterprise team was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business_id", + "enterprise_team_id", + "enterprise_team", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.delete", "description": "An environment was deleted.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_secret", "description": "A secret was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "external_group.add_member", "description": "A user was added to an external group.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "external_group", + "external_group_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_group.delete", "description": "An external group was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "scim_group_id" + ] }, { "action": "external_group.link", "description": "An external group was linked to a GitHub team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "external_group_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "external_group", + "programmatic_access_type", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_group.provision", "description": "An external group was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "external_group.remove_member", "description": "A user was removed from an external group.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "external_group", + "external_group_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "external_group.scim_api_failure", "description": "Failed external group SCIM API request.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_group_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_group.scim_api_success", "description": "Successful external group SCIM API request. Excludes GET API requests.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_group.unlink", "description": "An external group was unlinked to a GitHub team.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "external_group_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "external_group" + ] }, { "action": "external_group.update", "description": "An external group was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_group.update_display_name", "description": "An external group's display name was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "external_group_id", + "external_group", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "scim_group_id", + "request_access_security_header" + ] }, { "action": "external_identity.deprovision", "description": "An external identity was deprovisioned, suspending the linked GitHub user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "action", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "external_identity.provision", "description": "An external identity was created and linked to a GitHub user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "action", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "scim_user_id", + "request_access_security_header" + ] }, { "action": "external_identity.scim_api_failure", "description": "Failed external identity SCIM API request.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_user_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_identity.scim_api_success", "description": "Successful external identity SCIM API request. Excludes GET API requests.", "docs_reference_links": "/rest/scim/scim", + "fields": [ + "user_agent", + "request_id", + "request_method", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "query_string", + "api_request_body", + "route", + "status_code", + "url_path", + "scim_user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "REST API endpoints for SCIM" }, { "action": "external_identity.update", "description": "An external identity was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "action", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "scim_user_id", + "request_access_security_header" + ] }, { "action": "gist.create", "description": "A gist was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "user", + "gist_id", + "@timestamp", + "created_at", + "operation_type", + "user_agent", + "actor", + "actor_id", + "visibility", + "action", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "gist.destroy", "description": "A gist was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "gist_id", + "visibility", + "created_at", + "_document_id", + "user", + "request_id", + "operation_type", + "actor", + "actor_id", + "action", + "user_agent", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "gist.visibility_change", "description": "The visibility of a gist was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "user", + "gist_id", + "actor_id", + "request_id", + "visibility", + "user_id", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "git.clone", "description": "A repository was cloned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.fetch", "description": "Changes were fetched from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.push", "description": "Changes were pushed to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git_signing_ssh_public_key.create", "description": "An SSH key was added to a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "git_signing_ssh_public_key.delete", "description": "An SSH key was removed from a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "explanation", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "github_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "github_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "github_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "gpg_key.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "created_at", + "user_id", + "@timestamp", + "user", + "operation_type", + "_document_id", + "actor", + "action", + "user_agent", + "request_access_security_header" + ] }, { "action": "gpg_key.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor", + "actor_id", + "user", + "action", + "created_at", + "_document_id", + "user_agent", + "@timestamp", + "request_access_security_header" + ] }, { "action": "hook.active_changed", "description": "A hook's active status was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "hook.config_changed", "description": "A hook's configuration was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "name", + "org", + "user_agent", + "request_id", + "hook_id", + "repo", + "repo_id", + "created_at", + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { "action": "hook.destroy", "description": "A hook was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", + "operation_type", + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.events_changed", "description": "A hook's configured events were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "operation_type", + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "integration.create", "description": "A GitHub App was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "@timestamp", + "actor", + "user_agent", + "actor_id", + "request_id", + "name", + "user_id", + "_document_id", + "integration", + "created_at", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration.destroy", "description": "A GitHub App was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "actor_id", + "request_id", + "@timestamp", + "name", + "integration", + "user", + "_document_id", + "action", + "operation_type", + "created_at", + "user_agent" + ] }, { "action": "integration.generate_client_secret", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation_request.close", "description": "A request to install a GitHub App was either approved or denied by an owner, or canceled by the member who opened the request.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "url", + "actor", + "actor_id", + "created_at", + "request_id", + "operation_type", + "@timestamp", + "integration", + "action", + "user_agent", + "reason", + "_document_id", + "org", + "org_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation_request.create", "description": "A member requested that an owner install a GitHub App.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "@timestamp", + "actor_id", + "org", + "_document_id", + "requester", + "action", + "user_agent", + "created_at", + "url", + "org_id", + "request_id", + "operation_type", + "actor", + "integration", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { "action": "integration.remove_client_secret", "description": "A client secret for a GitHub App was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "integration.revoke_all_tokens", "description": "All user tokens for a GitHub App were requested to be revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.revoke_tokens", "description": "Token(s) for a GitHub App were revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" }, { "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "ip_allow_list.disable", "description": "An IP allow list was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "actor", + "request_id", + "org", + "user_agent", + "_document_id", + "user_id", + "actor_id", + "created_at", + "org_id", + "action", + "@timestamp", + "user" + ] }, { "action": "ip_allow_list.disable_for_installed_apps", "description": "An IP allow list was disabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list.disable_user_level_enforcement", "description": "IP allow list user level enforcement was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ip_allow_list.enable", "description": "An IP allow list was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "business", + "user_id", + "request_id", + "actor", + "user", + "business_id", + "_document_id", + "action", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "org", + "created_at" + ] }, { "action": "ip_allow_list.enable_for_installed_apps", "description": "An IP allow list was enabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list.enable_user_level_enforcement", "description": "IP allow list user level enforcement was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ip_allow_list_entry.create", "description": "An IP address was added to an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "active", + "org", + "ip_allow_list_entry", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "actor_id", + "business_id", + "org_id", + "business", + "actor", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.destroy", "description": "An IP address was deleted from an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "ip_allow_list_entry", + "org", + "operation_type", + "created_at", + "active", + "action", + "@timestamp", + "business", + "business_id", + "user_agent", + "org_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.update", "description": "An IP address or its description was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "actor", + "org", + "action", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "ip_allow_list_entry", + "active", + "org_id", + "@timestamp" + ] }, { "action": "marketplace_agreement_signature.create", "description": "The GitHub Marketplace Developer Agreement was signed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "actor_id", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "created_at", + "action", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "marketplace_listing.approve", "description": "A listing was approved for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "secondary_category", + "actor", + "primary_category", + "user", + "@timestamp", + "_document_id", + "user_id", + "user_agent", + "operation_type", + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" + ] }, { "action": "marketplace_listing.change_category", "description": "A category for a listing for an app in GitHub Marketplace was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", + "@timestamp", + "integration", + "org_id", + "action", + "org", + "secondary_category", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ] }, { "action": "marketplace_listing.create", "description": "A listing for an app in GitHub Marketplace was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", + "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", + "actor", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "marketplace_listing.delist", "description": "A listing was removed from GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "created_at", + "secondary_category", + "operation_type", + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" + ] }, { "action": "marketplace_listing_plan.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "actor", + "action", + "operation_type", + "marketplace_listing", + "has_free_trial", + "user_agent", + "request_id", + "actor_id", + "yearly_price_in_cents", + "description", + "bullets", + "monthly_price_in_cents", + "marketplace_listing_plan", + "_document_id" + ] }, { "action": "marketplace_listing_plan.publish", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "marketplace_listing_plan", + "marketplace_listing", + "description", + "bullets", + "has_free_trial", + "created_at", + "actor_id", + "operation_type", + "_document_id", + "action", + "user_agent", + "request_id", + "actor", + "monthly_price_in_cents", + "yearly_price_in_cents", + "@timestamp" + ] }, { "action": "marketplace_listing_plan.retire", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "marketplace_listing_plan", + "_document_id", + "request_id", + "description", + "yearly_price_in_cents", + "@timestamp", + "created_at", + "actor_id", + "bullets", + "has_free_trial", + "marketplace_listing", + "user_agent", + "monthly_price_in_cents", + "action", + "operation_type" + ] }, { "action": "marketplace_listing_plan.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "monthly_price_in_cents", + "marketplace_listing", + "_document_id", + "action", + "description", + "bullets", + "yearly_price_in_cents", + "request_id", + "actor_id", + "has_free_trial", + "marketplace_listing_plan", + "user_agent", + "@timestamp", + "operation_type", + "actor", + "created_at" + ] }, { "action": "marketplace_listing.redraft", "description": "A listing was sent back to draft state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", + "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", + "actor", + "created_at", + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" + ] }, { "action": "marketplace_listing.reject", "description": "A listing was not accepted for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "merge_queue.pull_request_dequeued", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "merge_queue.pull_request_queue_jump", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.queue_cleared", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.update_settings", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "metered_billing_configuration.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "_document_id", + "user_id", + "action", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "metered_billing_configuration.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "metered_billing_configuration.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "org", + "created_at", + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" + ] }, { "action": "migration.create", "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org_id", + "_document_id", + "org", + "repo_id", + "action", + "actor", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "oauth_access.create", "description": "An OAuth access token was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, /authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token", + "fields": [ + "_document_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "user", + "user_id", + "created_at", + "action", + "actor_id", + "request_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, Managing your personal access tokens" }, { "action": "oauth_access.destroy", "description": "An OAuth access token was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps", + "fields": [ + "@timestamp", + "user_agent", + "action", + "operation_type", + "_document_id", + "actor", + "created_at", + "user", + "user_id", + "request_id", + "explanation", + "hashed_token", + "actor_id", + "token_scopes", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_access.regenerate", "description": "An OAuth access token was regenerated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "_document_id", + "created_at", + "@timestamp", + "operation_type", + "action", + "user_agent", + "request_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "oauth_application_name" + ] }, { "action": "oauth_access.revoke", "description": "An OAuth access token was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "request_access_security_header", + "hashed_token", + "token_id", + "token_scopes", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "oauth_access.update", "description": "An OAuth access token was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "action", + "@timestamp", + "user", + "user_agent", + "request_access_security_header" + ] }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.generate_client_secret", "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.suspend", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user_agent", + "org_id", + "org", + "operation_type", + "oauth_application_id", + "action", + "created_at", + "actor", + "actor_id", + "oauth_application", + "_document_id", + "request_id" + ] }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.unsuspend", "description": "An OAuth application was unsuspended for a user or organization account.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "operation_type", + "org_id", + "action", + "oauth_application_id", + "oauth_application", + "org", + "created_at", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_authorization.create", "description": "An authorization for an OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "operation_type", + "user_agent", + "user_id", + "actor", + "org_id", + "_document_id", + "request_id", + "action", + "@timestamp", + "created_at", + "actor_id", + "user", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_authorization.destroy", "description": "An authorization for an OAuth application was deleted.", "docs_reference_links": "/apps/using-github-apps/reviewing-your-authorized-integrations", + "fields": [ + "user_agent", + "_document_id", + "request_id", + "operation_type", + "@timestamp", + "actor", + "created_at", + "explanation", + "user", + "user_id", + "org_id", + "action", + "actor_id", + "token_scopes", + "actor_is_bot", + "oauth_application_name" + ], "docs_reference_titles": "Reviewing and revoking authorization of GitHub Apps" }, { "action": "oauth_authorization.update", "description": "An authorization for an OAuth application was updated.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "org_id", + "request_id", + "user_id", + "actor", + "actor_id", + "user_agent", + "@timestamp", + "operation_type", + "action", + "user", + "created_at", + "_document_id", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "org.accept_business_invitation", "description": "An invitation sent to an organization to join an enterprise was accepted.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.add_billing_manager", "description": "A billing manager was added to an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization", + "fields": [ + "operation_type", + "_document_id", + "user_agent", + "org", + "user_id", + "action", + "created_at", + "org_id", + "user", + "actor", + "actor_id", + "@timestamp", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization" }, { "action": "org.add_member", "description": "A user joined an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "permission", + "_document_id", + "org", + "operation_type", + "request_id", + "actor", + "user", + "@timestamp", + "created_at", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "org.add_outside_collaborator", "description": "An outside collaborator was added to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "inviter", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.add_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.advanced_security_disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_disabled_on_all_repos", "description": "GitHub Advanced Security was disabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_on_all_repos", "description": "GitHub Advanced Security was enabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_entity_policy_update", "description": "An enterprise owner updated the GitHub Advanced Security access policy for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "new_policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_disabled", "description": "An enterprise owner prevented GitHub Advanced Security features from being enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_enabled", "description": "An enterprise owner allowed GitHub Advanced Security features to be enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.async_delete", "description": "A user initiated a background job to delete an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "request_id", + "org", + "org_id", + "user_agent", + "created_at" + ] }, { "action": "org.billing_signup_error", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_agent", + "action", + "@timestamp", + "actor_id", + "org_id", + "_document_id", + "actor", + "org", + "operation_type" + ] }, { "action": "org.block_user", "description": "An organization owner blocked a user from accessing the organization's repositories.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization", + "fields": [ + "actor", + "user_agent", + "org_id", + "created_at", + "_document_id", + "blocked_user", + "action", + "operation_type", + "actor_id", + "org", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization" }, { "action": "org.cancel_business_invitation", "description": "An invitation for an organization to join an enterprise was revoked", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "initiated_from" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.cancel_invitation", "description": "An invitation sent to a user to join an organization was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "org_id", + "request_id", + "email", + "@timestamp", + "actor", + "action", + "operation_type", + "user_agent", + "org", + "invitation_id", + "_document_id", + "created_at", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.clear_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "org.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_third_party_tools_disabled", "description": "Autofix for third party tools for code scanning alerts was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_third_party_tools_enabled", "description": "Autofix for third party tools for code scanning alerts was enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.codeql_disabled", "description": "Code scanning using the default setup was disabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codeql_enabled", "description": "Code scanning using the default setup was enabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.config.disable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "request_id", + "org", + "action", + "operation_type", + "_document_id", + "actor", + "actor_id", + "@timestamp", + "user_agent", + "org_id", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "operation_type", + "@timestamp", + "created_at", + "user_agent", + "action", + "actor_id", + "org", + "_document_id", + "actor", + "org_id", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "_document_id", + "operation_type", + "actor_id", + "org_id", + "action", + "created_at", + "actor", + "org", + "@timestamp", + "user_agent", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "actor", + "org", + "org_id", + "request_id", + "operation_type", + "action", + "user_agent" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor", + "actor_id", + "org_id", + "action", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "org", + "created_at", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor_id", + "request_id", + "action", + "created_at", + "user_agent", + "actor", + "_document_id", + "org_id", + "operation_type", + "org", + "@timestamp" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.confirm_business_invitation", "description": "An invitation for an organization to join an enterprise was confirmed.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.create", "description": "An organization was created.", "docs_reference_links": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch", + "fields": [ + "request_id", + "org", + "actor_id", + "actor", + "action", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "org_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch" }, { "action": "org.delete", "description": "An organization was deleted by a user or staff.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "@timestamp", + "_document_id", + "created_at", + "actor", + "org_id", + "org", + "action", + "actor_id", + "operation_type", + "request_id", + "request_access_security_header" + ] }, { "action": "org.disable_member_team_creation_permission", "description": "Team creation was limited to owners.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "actor", + "@timestamp", + "_document_id", + "user", + "user_id", + "action", + "created_at", + "actor_id", + "user_agent", + "org", + "org_id", + "operation_type", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.disable_reader_discussion_creation_permission", "description": "An organization owner limited discussion creation to users with at least triage permission in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.disable_saml", "description": "SAML single sign-on was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "sso_url", + "issuer", + "action", + "@timestamp", + "_document_id", + "created_at", + "org", + "operation_type" + ] }, { "action": "org.disable_two_factor_requirement", "description": "A two-factor authentication requirement was disabled for the organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "org_id", + "action", + "actor", + "actor_id", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "user_agent" + ] }, { "action": "org.display_commenter_full_name_disabled", "description": "An organization owner disabled the display of a commenter's full name in an organization. Members cannot see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "user", + "action", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "user_agent", + "org", + "actor_id", + "org_id", + "request_id" + ] }, { "action": "org.display_commenter_full_name_enabled", "description": "An organization owner enabled the display of a commenter's full name in an organization. Members can see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_agent", + "request_id", + "actor", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "user", + "action", + "actor_id", + "org_id" + ] }, { "action": "org.enable_member_team_creation_permission", "description": "Team creation by members was allowed.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "org_id", + "user", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "user_agent", + "actor_id", + "org", + "request_id", + "action", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.enable_reader_discussion_creation_permission", "description": "An organization owner allowed users with read access to create discussions in an organization", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.enable_saml", "description": "SAML single sign-on was enabled for the organization.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization", + "fields": [ + "actor_id", + "action", + "operation_type", + "actor", + "sso_url", + "org", + "created_at", + "@timestamp", + "issuer", + "org_id", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Enabling and testing SAML single sign-on for your organization" }, { "action": "org.enable_two_factor_requirement", "description": "Two-factor authentication is now required for the organization.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "actor_id", + "action", + "_document_id", + "org", + "@timestamp", + "actor", + "user_agent", + "org_id", + "operation_type", + "created_at", + "request_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.integration_manager_added", "description": "An organization owner granted a member access to manage all GitHub Apps owned by an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "org_id", + "manager", + "@timestamp", + "request_id", + "actor", + "operation_type", + "_document_id", + "actor_id", + "org", + "action", + "created_at" + ] }, { "action": "org.integration_manager_removed", "description": "An organization owner removed access to manage all GitHub Apps owned by an organization from an organization member.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "@timestamp", + "org", + "user_agent", + "request_id", + "action", + "actor", + "actor_id", + "manager", + "operation_type", + "created_at", + "_document_id" + ] }, { "action": "org.invite_member", "description": "A new user was invited to join an organization.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization", + "fields": [ + "org", + "user_id", + "invitation_id", + "org_id", + "user", + "action", + "operation_type", + "_document_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "actor_id", + "request_id", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization" }, { "action": "org.invite_to_business", "description": "An organization was invited to join an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.members_can_update_protected_branches.disable", "description": "The ability for enterprise members to update protected branches was disabled. Only enterprise owners can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "org.members_can_update_protected_branches.enable", "description": "The ability for enterprise members to update protected branches was enabled. Members of an organization can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "org_id", + "user_agent", + "actor_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "request_id", + "_document_id", + "actor", + "user", + "action" + ] }, { "action": "org.rate_limited_invites", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "org_id", + "action", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org" + ] }, { "action": "org.recreate", "description": "An organization was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "action", + "operation_type", + "_document_id", + "user_agent", + "actor_id", + "@timestamp", + "request_id", + "actor", + "org_id" + ] }, { "action": "org.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization", + "fields": [ + "actor", + "operation_type", + "@timestamp", + "_document_id", + "request_id", + "org", + "org_id", + "action", + "created_at", + "user_agent", + "actor_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "org.remove_billing_manager", "description": "A billing manager was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "user_id", + "user_agent", + "org_id", + "user", + "action", + "_document_id", + "operation_type", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "created_at" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.remove_member", "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "actor_id", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", + "created_at", + "user", + "operation_type", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.remove_outside_collaborator", "description": "An outside collaborator was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user", + "org_id", + "created_at", + "request_id", + "@timestamp", + "action", + "operation_type", + "user_agent", + "_document_id", + "actor", + "actor_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "org.remove_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization", + "fields": [ + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor_id", + "org", + "created_at", + "actor", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "org.rename", "description": "An organization was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "@timestamp", + "org", + "action", + "actor", + "old_login", + "org_id", + "request_id", + "actor_id", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "org.restore_member", "description": "An organization member was restored.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization", + "fields": [ + "user", + "actor", + "user_id", + "_document_id", + "action", + "created_at", + "org_id", + "operation_type", + "request_id", + "@timestamp", + "user_agent", + "org", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization" }, { "action": "org.runner_group_created", "description": "A self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_removed", "description": "A self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runner_removed", "description": "The REST API was used to remove a self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "org.runner_group_runners_added", "description": "A self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runners_updated", "description": "A runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "org.runner_group_updated", "description": "The configuration of a self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_disabled", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_enabled", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_updated", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_disable", "description": "Push protection for secret scanning was disabled.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_enable", "description": "Push protection for secret scanning was enabled.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_disable", "description": "Push protection for secret scanning was disabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_enable", "description": "Push protection for secret scanning was enabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed", "description": "The push protection setting was changed for a secret type for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "secret_type", + "secret_type_display_name", + "push_protection_setting" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "org.security_center_export_code_scanning_metrics", "description": "A CSV export was requested on the CodeQL pull request alerts page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "org.security_center_export_coverage", "description": "A CSV export was requested on the Coverage page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_overview_dashboard", "description": "A CSV export was requested on the Overview Dashboard page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_risk", "description": "A CSV export was requested on the Risk page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "org_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { "action": "org.set_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "org_id", + "operation_type", + "actor", + "actor_id", + "@timestamp", + "request_id", + "created_at", + "org", + "action" + ] }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "org.sso_response", "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "user_agent", + "actor", + "actor_id", + "org_id", + "@timestamp", + "org", + "issuer", + "business", + "operation_type", + "created_at", + "request_id", + "business_id", + "_document_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.transform", "description": "A user account was converted into an organization.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/converting-a-user-into-an-organization", + "fields": [ + "actor", + "_document_id", + "request_id", + "operation_type", + "actor_id", + "org_id", + "org", + "action", + "@timestamp", + "created_at", + "user_agent", + "owner", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/converting-a-user-into-an-organization" }, { "action": "org.unblock_user", "description": "A user was unblocked from an organization.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization", + "fields": [ + "oauth_application_id", + "_document_id", + "blocked_user", + "action", + "operation_type", + "@timestamp", + "request_id", + "created_at", + "actor", + "actor_id", + "org", + "org_id", + "user_agent" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization" }, { "action": "org.update_actions_settings", "description": "An organization owner or site administrator updated GitHub Actions policy settings for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "updated_allowed_types", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization" }, { "action": "org.update_default_repository_permission", "description": "The default repository permission level for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "operation_type", + "created_at", + "org", + "org_id", + "request_id", + "@timestamp", + "user_agent", + "permission", + "actor_id", + "old_permission", + "_document_id", + "programmatic_access_type" + ] }, { "action": "org.update_member", "description": "A person's role was changed from owner to member or member to owner.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "org_id", + "created_at", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "actor_id", + "old_permission", + "permission", + "actor", + "user_agent", + "operation_type", + "org" + ] }, { "action": "org.update_member_repository_creation_permission", "description": "The create repository permission for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "@timestamp", + "request_id", + "actor_id", + "permission", + "created_at", + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" + ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "org.update_saml_provider_settings", "description": "An organization's SAML provider settings were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "sso_url", + "actor_id", + "operation_type", + "@timestamp", + "issuer", + "org", + "_document_id", + "actor", + "org_id", + "created_at", + "request_id", + "action" + ] }, { "action": "org.update_terms_of_service", "description": "An organization changed between the Standard Terms of Service and the GitHub Customer Agreement.", "docs_reference_links": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement", + "fields": [ + "request_id", + "org_id", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org", + "action", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement" }, { "action": "organization_domain.approve", "description": "A domain was approved for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization" }, { "action": "organization_domain.create", "description": "A domain was added to an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "created_at", + "_document_id", + "domain_name", + "action", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "user_agent", + "actor" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "organization_domain.destroy", "description": "A domain was removed from an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain", + "fields": [ + "action", + "domain_name", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "created_at" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain" }, { "action": "organization_domain.verify", "description": "A domain was verified for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "operation_type", + "domain_name", + "@timestamp", + "user_agent", + "request_id", + "actor", + "action", + "created_at", + "_document_id", + "actor_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "packages.package_deleted", "description": "An entire package was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_published", "description": "A package was published or republished to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "ecosystem", + "version_count", + "is_republished", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "packages.package_version_deleted", "description": "A specific package version was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "version", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "ecosystem", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_version_published", "description": "A specific package version was published or republished to a package.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "ecosystem", + "package", + "version", + "actor_id", + "user_agent", + "is_republished", + "actor", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "passkey.register", "description": "A new passkey was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "passkey.remove", "description": "A new passkey was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "payment_method.create", "description": "A new payment method was added, such as a new credit card or PayPal account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", + "_document_id", + "action", + "actor", + "actor_id", + "@timestamp", + "created_at", + "request_access_security_header" + ] }, { "action": "payment_method.remove", "description": "A payment method was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", + "operation_type", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "payment_method.update", "description": "An existing payment method was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", + "@timestamp", + "action", + "actor", + "org", + "user_agent", + "_document_id", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.access_restriction_disabled", "description": "The configured restriction for access to resources via personal access tokens was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_restriction_enabled", "description": "The configured restriction for access to resources via personal access tokens was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_restriction_reset", "description": "The configured restriction for access to resources via personal access tokens was reset and delegated to organizations.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.auto_approve_grant_requests_disabled", "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "personal_access_token.auto_approve_grant_requests_enabled", "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "personal_access_token.auto_approve_grant_requests_reset", "description": "Triggered when the enterprise delegates to the organizations when to require approval for fine-grained personal access tokens before the tokens can access organization resources.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "personal_access_token.create", "description": "Triggered when you create a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "personal_access_token.credential_regenerated", "description": "Triggered when you regenerate a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.credential_revoked", "description": "A fine-grained personal access token was revoked by GitHub Advanced Security.", "docs_reference_links": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users", + "fields": [ + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users" }, { "action": "personal_access_token.destroy", "description": "Triggered when you delete a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "explanation", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.expiration_limit_set", "description": "A personal access token expiration limit was set.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "token_expiration", + "old_token_expiration", + "exempt_administrators", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.expiration_limit_unset", "description": "A personal access token expiration limit was unset.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "old_token_expiration", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.update", "description": "A fine-grained personal access token was updated.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens" }, { "action": "premium_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { "action": "project.access", "description": "A project board visibility was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "user_agent", + "operation_type", + "user", + "created_at", + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" + ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { "action": "project_collaborator.add", "description": "A collaborator was added to a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "org", + "org_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "public_project", + "project_name", + "project_role", + "old_project_role", + "request_access_security_header" + ] }, { "action": "project_collaborator.remove", "description": "A collaborator was removed from a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project_collaborator.update", "description": "A project collaborator's permission level was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "public_project", + "project_name", + "collaborator_type", + "project_role", + "old_project_role", + "project_id", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project.create", "description": "A project board was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user", + "_document_id", + "request_id", + "user_id", + "user_agent", + "@timestamp", + "actor_id", + "action", + "created_at", + "actor" + ] }, { "action": "project.delete", "description": "A project board was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "actor_id", + "operation_type", + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" + ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { "action": "project.link", "description": "A repository was linked to a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "action", + "actor_id", + "org_id", + "user_agent", + "request_id", + "actor", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" + ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { "action": "project.rename", "description": "A project board was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", + "@timestamp", + "repo", + "_document_id", + "user_agent", + "org_id", + "business_id", + "actor", + "repo_id", + "org", + "business" + ] }, { "action": "project.unlink", "description": "A repository was unlinked from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "operation_type", + "actor", + "action", + "created_at", + "actor_id", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "org", + "org_id" + ] }, { "action": "project.update_org_permission", "description": "The project's base-level permission for all organization members was changed or removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" + ] }, { "action": "project.update_team_permission", "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org_id", + "operation_type", + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" + ] }, { "action": "project.update_user_permission", "description": "A user was added to or removed from a project board or had their permission level changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "operation_type", + "@timestamp", + "actor_id", + "user", + "user_agent", + "actor", + "created_at", + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" + ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project.visibility_private", "description": "A project's visibility was changed from public to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name" + ] }, { "action": "project.visibility_public", "description": "A project's visibility was changed from private to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name", + "request_access_security_header" + ] }, { "action": "protected_branch.authorized_users_teams", "description": "The users, teams, or integrations allowed to bypass a branch protection were changed.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "fields": [ + "repo", + "action", + "org_id", + "user_agent", + "name", + "created_at", + "_document_id", + "operation_type", + "actor", + "repo_id", + "org", + "request_id", + "actor_id", + "oauth_application_id", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches" }, { "action": "protected_branch.branch_allowances", "description": "A protected branch allowance was given to a specific user, team or integration.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "name", + "authorized_actors", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "protected_branch.create", "description": "Branch protection was enabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "repo_id", + "user_id", + "@timestamp", + "user_agent", + "repo", + "name", + "org_id", + "user", + "_document_id", + "request_id", + "actor", + "actor_id", + "org", + "action", + "created_at", + "authorized_actor_names", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.destroy", "description": "Branch protection was disabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "repo", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "repo_id", + "org_id", + "operation_type", + "action", + "user_agent", + "created_at", + "_document_id", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.dismiss_stale_reviews", "description": "Enforcement of dismissing stale pull requests was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "dismiss_stale_reviews_on_push", + "org_id", + "action", + "created_at", + "request_id", + "_document_id", + "@timestamp", + "actor_id", + "repo_id", + "operation_type", + "actor", + "repo", + "org", + "name", + "programmatic_access_type" + ] }, { "action": "protected_branch.dismissal_restricted_users_teams", "description": "Enforcement of restricting users and/or teams who can dismiss reviews was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "actor", + "oauth_application_id", + "authorized_actors_only", + "authorized_actors", + "created_at", + "user_agent", + "name", + "_document_id", + "org_id", + "request_id", + "@timestamp", + "actor_id", + "org", + "action", + "operation_type", + "programmatic_access_type" + ] }, { "action": "protected_branch.policy_override", "description": "A branch protection requirement was overridden by a repository administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "created_at", + "actor", + "reasons", + "@timestamp", + "before", + "after", + "actor_id", + "repo", + "operation_type", + "user_agent", + "branch", + "overridden_codes", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "referrer", + "business", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "rule_suite_id" + ] }, { "action": "protected_branch.rejected_ref_update", "description": "A branch update attempt was rejected.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "@timestamp", + "created_at", + "_document_id", + "business", + "org_id", + "operation_type", + "request_id", + "repo_id", + "actor", + "branch", + "before", + "overridden_codes", + "after", + "action", + "reasons", + "actor_id", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "actor_is_bot", + "rule_suite_id" + ] }, { "action": "protected_branch.update_admin_enforced", "description": "Branch protection was enforced for repository administrators.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "admin_enforced", + "operation_type", + "user_agent", + "actor", + "org", + "name", + "repo", + "@timestamp", + "action", + "repo_id", + "org_id", + "_document_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_allow_deletions_enforcement_level", "description": "Branch deletion was enabled or disabled for a protected branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "operation_type", + "request_id", + "repo", + "@timestamp", + "org_id", + "org", + "action", + "allow_deletions_enforcement_level", + "_document_id", + "created_at", + "actor_id", + "user_agent", + "actor", + "repo_id", + "request_access_security_header" + ] }, { "action": "protected_branch.update_allow_force_pushes_enforcement_level", "description": "Force pushes were enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "actor_id", + "name", + "_document_id", + "actor", + "repo", + "operation_type", + "request_id", + "allow_force_pushes_enforcement_level", + "@timestamp", + "org", + "action", + "created_at", + "user_agent", + "repo_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_ignore_approvals_from_contributors", "description": "Ignoring of approvals from contributors to a pull request was enabled or disabled for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "ignore_approvals_from_contributors", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "protected_branch.update_linear_history_requirement_enforcement_level", "description": "Required linear commit history was enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "operation_type", + "actor", + "linear_history_requirement_enforcement_level", + "repo", + "request_id", + "name", + "org_id", + "repo_id", + "org", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_lock_allows_fetch_and_merge", "description": "Fork syncing was enabled or disabled for a read-only branch", "docs_reference_links": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "lock_allows_fetch_and_merge", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_lock_branch_enforcement_level", "description": "The enforcement of a branch lock was updated.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "enforcement_level", + "lock_branch_enforcement_level", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { "action": "protected_branch.update_name", "description": "A branch name pattern was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "old_name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "protected_branch.update_pull_request_reviews_enforcement_level", "description": "Enforcement of required pull request reviews was updated for a branch. Can be 0 (deactivated), 1 (non-admins), or 2 (everyone).", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "org_id", + "_document_id", + "actor_id", + "@timestamp", + "business_id", + "request_id", + "pull_request_reviews_enforcement_level", + "org", + "repo", + "action", + "business", + "user_agent", + "created_at", + "repo_id", + "operation_type", + "actor", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_code_owner_review", "description": "Enforcement of required code owner review was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "created_at", + "require_code_owner_review", + "operation_type", + "name", + "user_agent", + "action", + "@timestamp", + "actor", + "actor_id", + "repo", + "request_id", + "org", + "repo_id", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_last_push_approval", "description": "Someone other than the person who pushed the last code-modifying commit to the branch must approve pull requests for the branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "require_last_push_approval", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging" }, { "action": "protected_branch.update_required_approving_review_count", "description": "Enforcement of the required number of approvals before merging was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "required_approving_review_count", + "repo", + "request_id", + "repo_id", + "created_at", + "actor", + "operation_type", + "user_agent", + "name", + "org_id", + "action", + "actor_id", + "_document_id", + "org", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_required_status_checks_enforcement_level", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "user_agent", + "@timestamp", + "_document_id", + "name", + "repo", + "action", + "business_id", + "repo_id", + "business", + "actor_id", + "operation_type", + "created_at", + "request_id", + "required_status_checks_enforcement_level", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_signature_requirement_enforcement_level", "description": "Enforcement of required commit signing was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "name", + "@timestamp", + "created_at", + "_document_id", + "request_id", + "repo_id", + "org", + "org_id", + "action", + "actor", + "actor_id", + "signature_requirement_enforcement_level", + "repo", + "user_agent", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_strict_required_status_checks_policy", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "_document_id", + "org", + "@timestamp", + "created_at", + "repo_id", + "org_id", + "user_agent", + "name", + "actor", + "repo", + "operation_type", + "action", + "strict_required_status_checks_policy", + "programmatic_access_type" + ] }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verify", "description": "A user account's SSH key or a repository's deploy key was verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "pull_request.close", "description": "A pull request was closed without being merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request" }, { "action": "pull_request.converted_to_draft", "description": "A pull request was converted to a draft.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft" }, { "action": "pull_request.create", "description": "A pull request was created.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request" }, { "action": "pull_request.create_review_request", "description": "A review was requested on a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.in_progress", "description": "A pull request was marked as in progress.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "pull_request.indirect_merge", "description": "A pull request was considered merged because the pull request's commits were merged into the target branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request.merge", "description": "A pull request was merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request" }, { "action": "pull_request.ready_for_review", "description": "A pull request was marked as ready for review.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review" }, { "action": "pull_request.rebase", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "pull_request_url", + "pull_request_title", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request.remove_review_request", "description": "A review request was removed from a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.reopen", "description": "A pull request was reopened after previously being closed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.create", "description": "A review comment was added to a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "comment_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request_review_comment.delete", "description": "A review comment on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "actor", + "@timestamp", + "_document_id", + "repo", + "created_at", + "request_id", + "comment_id", + "actor_id", + "repo_id", + "action", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.update", "description": "A review comment on a pull request was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "request_id", + "actor_id", + "action", + "created_at", + "actor", + "_document_id", + "@timestamp", + "comment_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review.delete", "description": "A review on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request_review.dismiss", "description": "A review on a pull request was dismissed.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review" }, { "action": "pull_request_review.submit", "description": "A review on a pull request was submitted.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.change_merge_setting", "description": "Pull request merge options were changed for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", + "@timestamp", + "_document_id", + "actor_id", + "operation_type", + "action", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { "action": "repo.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_third_party_tools_disabled", "description": "Autofix for third party tools for code scanning alerts was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_third_party_tools_enabled", "description": "Autofix for third party tools for code scanning alerts was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { "action": "repo.code_scanning_delegated_alert_dismissal_disabled", "description": "Prevention of direct alert dismissal for code scanning was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "repo.code_scanning_delegated_alert_dismissal_enabled", "description": "Prevention of direct alert dismissal for code scanning was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "repo.codeql_disabled", "description": "Code scanning using the default setup was disabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_enabled", "description": "Code scanning using the default setup was enabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "query_suite", + "threat_model", + "languages", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_updated", "description": "Code scanning using the default setup was updated for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "query_suite", + "threat_model", + "languages", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "visibility", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" }, { "action": "repo.create_actions_secret", "description": "A GitHub Actions secret was created for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { "action": "repo.disk_archive", "description": "A repository was archived on disk.", "docs_reference_links": "/repositories/archiving-a-github-repository/archiving-repositories", + "fields": [ + "actor_id", + "repo", + "operation_type", + "@timestamp", + "created_at", + "request_id", + "_document_id", + "repo_id", + "actor", + "action", + "user_agent" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository/archiving-repositories" }, { "action": "repo.download_zip", "description": "A source code archive of a repository was downloaded as a ZIP file.", "docs_reference_links": "/repositories/working-with-files/using-files/downloading-source-code-archives", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/working-with-files/using-files/downloading-source-code-archives" }, { "action": "repo.hide_from_discovery", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_agent", + "org", + "operation_type", + "visibility", + "repo_id", + "created_at", + "actor", + "action", + "@timestamp", + "org_id", + "request_id", + "repo", + "_document_id" + ] }, { "action": "repo.noindex", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo_id", + "request_id", + "action", + "_document_id", + "@timestamp", + "actor_id", + "created_at", + "user", + "operation_type", + "actor", + "user_agent", + "repo", + "user_id", + "public_repo" + ] }, { "action": "repo.override_unlock", "description": "The repository was unlocked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_build", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "action", + "_document_id", + "actor_id", + "repo", + "repo_id", + "operation_type", + "user_agent", + "request_id", + "created_at", + "visibility", + "actor", + "user_id" + ] }, { "action": "repo.pages_cname", "description": "A GitHub Pages custom domain was modified in a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "@timestamp", + "visibility", + "repo", + "repo_id", + "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", + "created_at", + "_document_id", + "action", + "operation_type", + "old_cname", + "programmatic_access_type" + ] }, { "action": "repo.pages_create", "description": "A GitHub Pages site was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "_document_id", + "user_id", + "visibility", + "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", + "actor", + "repo", + "programmatic_access_type" + ] }, { "action": "repo.pages_destroy", "description": "A GitHub Pages site was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "user_id", + "action", + "request_id", + "user", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", + "visibility", + "operation_type", + "repo_id", + "programmatic_access_type" + ] }, { "action": "repo.pages_https_redirect_disabled", "description": "HTTPS redirects were disabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "actor_id", + "repo_id", + "_document_id", + "user_agent", + "actor", + "visibility", + "user_id", + "request_id", + "repo", + "@timestamp", + "operation_type", + "action", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_https_redirect_enabled", "description": "HTTPS redirects were enabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "user_id", + "created_at", + "visibility", + "actor", + "actor_id", + "user", + "operation_type", + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" + ] }, { "action": "repo.pages_private", "description": "A GitHub Pages site visibility was changed to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_public", "description": "A GitHub Pages site visibility was changed to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete", "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete_restore", "description": "A GitHub Pages site that was previously soft-deleted was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_source", "description": "A GitHub Pages source was modified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "repo_id", + "user", + "_document_id", + "request_id", + "visibility", + "repo", + "created_at", + "action", + "programmatic_access_type" + ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.remove_integration_secret", "description": "A Codespaces or Dependabot secret was deleted for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "repo.remove_topic", "description": "A topic was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", + "actor", + "business", + "request_id", + "repo", + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" + ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { "action": "repo.require_login", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "visibility", + "operation_type", + "repo", + "_document_id", + "user", + "user_id", + "actor", + "actor_id", + "user_agent", + "repo_id", + "action", + "@timestamp", + "request_id" + ] }, { "action": "repo.restore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "action", + "_document_id", + "actor_id", + "user", + "operation_type", + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" + ] }, { "action": "repo.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "repo_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "repo.staff_unlock", "description": "An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "created_at", + "actor", + "repo_id", + "action", + "org", + "org_id", + "request_id", + "repo", + "operation_type" + ] }, { "action": "repo.temporary_access_granted", "description": "Temporary access was enabled for a repository.", "docs_reference_links": "/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing user-owned repositories in your enterprise" }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { "action": "repo.transfer_outgoing", "description": "A repository was transferred to another repository network.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.transfer_start", "description": "A user sent a request to transfer a repository to another user or organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "operation_type", + "user_id", + "request_id", + "user", + "action", + "user_agent", + "created_at", + "actor", + "visibility", + "repo_id", + "actor_id", + "repo", + "request_access_security_header" + ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.update_actions_access_settings", "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "old_policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.update_actions_settings", "description": "A repository administrator changed GitHub Actions policy settings for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.update_default_branch", "description": "The default branch for a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.update_member", "description": "A user's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "_document_id", + "actor", + "repo_id", + "created_at", + "oauth_application_id", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", + "visibility", + "old_permission", + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_branch_protection_evaluation.disable", "description": "Branch protections were disabled for the repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_branch_protection_evaluation.enable", "description": "Branch protections were enabled for this repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_code_security.disable", "description": "Code security was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "repository_code_security.enable", "description": "Code security was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "repository_image.create", "description": "An image to represent a repository was uploaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", + "action", + "request_id", + "actor", + "content_type", + "repo", + "@timestamp", + "_document_id", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "repository_image.destroy", "description": "An image to represent a repository was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", + "_document_id", + "actor", + "repo_id", + "user_agent", + "repo", + "user", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "repository_invitation.accept", "description": "An invitation to join a repository was accepted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "created_at", + "request_id", + "repo", + "invitee", + "operation_type", + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.cancel", "description": "An invitation to join a repository was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "inviter", + "action", + "operation_type", + "_document_id", + "repo_id", + "repo", + "@timestamp", + "user_agent", + "invitee", + "created_at", + "request_id", + "actor", + "actor_id", + "request_access_security_header" + ] }, { "action": "repository_invitation.create", "description": "An invitation to join a repository was sent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", + "repo", + "created_at", + "user_agent", + "repo_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.reject", "description": "An invitation to join a repository was declined.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "_document_id", + "actor", + "invitee", + "action", + "@timestamp", + "request_id", + "actor_id", + "operation_type", + "created_at", + "inviter", + "user_agent", + "repo_id" + ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { "action": "repository_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning.disable", "description": "Secret scanning was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "public_repo", + "programmatic_access_type" + ], "docs_reference_titles": "About secret scanning" }, { "action": "repository_secret_scanning.enable", "description": "Secret scanning was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "repository_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.disable", "description": "Secret scanning push protection was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.enable", "description": "Secret scanning push protection was enabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_security_configuration.applied", "description": "A code security configuration was applied to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.failed", "description": "A code security configuration failed to attach to the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.removed", "description": "A code security configuration was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.removed_by_settings_change", "description": "A code security configuration was removed due to a change in repository or enterprise settings.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "restrict_notification_delivery.disable", "description": "Email notification restrictions for an organization or enterprise were disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "restrict_notification_delivery.enable", "description": "Email notification restrictions for an organization or enterprise were enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "secret_scanning_alert.create", "description": "GitHub detected a secret and created a secret scanning alert.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning_alert.reopen", "description": "A secret scanning alert was reopened.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type_display_name" + ] }, { "action": "secret_scanning_alert.resolve", "description": "A secret scanning alert was resolved.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "resolution", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_access_security_header" + ] }, { "action": "secret_scanning_alert.revoke", "description": "A secret scanning alert was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "secret_scanning_alert.validate", "description": "A secret scanning alert was validated.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "previous_validity", + "current_validity", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning.disable", "description": "Secret scanning was disabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning.enable", "description": "Secret scanning was enabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.disable", "description": "Secret scanning was disabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.enable", "description": "Secret scanning was enabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_push_protection.bypass", "description": "Triggered when a user bypasses the push protection on a secret detected by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#bypassing-push-protection-for-a-secret", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "push_protection_bypass_reason", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_reviewer", + "request_reviewer_id" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.approve", "description": "A request to bypass secret scanning push protection was approved by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.deny", "description": "A request to bypass secret scanning push protection was denied by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header", + "request_reviewer_comment" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.request", "description": "A user requested to bypass secret scanning push protection.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "secret_scanning_scan.completed", "description": "A secret scanning scan has completed on this repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "repo_id", + "org_id", + "business_id", + "source", + "type", + "source_slug", + "type_slug", + "started_at", + "completed_at", + "repo", + "public_repo", + "org", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "secret_types", + "custom_pattern_name", + "custom_pattern_scope" + ], "docs_reference_titles": "About secret scanning" }, { "action": "security_configuration.create", "description": "A security configuration was created", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "security_configuration_default.delete", "description": "A default security configuration setting for new repositories was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "security_configuration_default.update", "description": "A default security configuration setting for new repositories was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "security_configuration.delete", "description": "A security configuration was deleted", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "security_configuration_policy.update", "description": "A security configuration policy was updated", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enforcement", + "security_configuration_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "security_configuration.update", "description": "A security configuration was updated", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "security_key.register", "description": "A security key was registered for an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "created_at", + "user_id", + "action", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user_agent", + "request_access_security_header" + ] }, { "action": "security_key.remove", "description": "A security key was removed from an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "operation_type", + "_document_id", + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "action", + "created_at", + "user", + "request_access_security_header" + ] }, { "action": "sponsors.agreement_sign", "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.fiscal_host_change", "description": "The fiscal host for a GitHub Sponsors listing was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_disable", "description": "A GitHub Sponsors account was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { "action": "sponsors.sponsored_developer_redraft", "description": "A GitHub Sponsors account was returned to draft state from approved state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id", + "actor", + "actor_id", + "user_id" + ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsored_developer_update_newsletter_send", "description": "Triggered when you send an email update to your sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors", + "fields": [ + "request_id", + "actor", + "action", + "user_agent", + "operation_type", + "_document_id", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { "action": "sponsors.update_tier_repository", "description": "A GitHub Sponsors tier changed access for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.update_tier_welcome_message", "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.waitlist_join", "description": "You join the waitlist to join GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "request_id", + "actor", + "user_id", + "user_agent", + "actor_id", + "action", + "operation_type", + "created_at", + "user", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.withdraw_agreement_signature", "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ssh_certificate_authority.create", "description": "An SSH certificate authority for an organization or enterprise was created.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "@timestamp", + "_document_id", + "fingerprint", + "operation_type", + "openssh_public_key", + "org_id", + "actor", + "created_at", + "org", + "action", + "user_agent", + "actor_id", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_authority.destroy", "description": "An SSH certificate authority for an organization or enterprise was deleted.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "created_at", + "_document_id", + "fingerprint", + "operation_type", + "actor", + "org_id", + "openssh_public_key", + "org", + "action", + "user_agent", + "actor_id", + "@timestamp", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.disable", "description": "The requirement for members to use SSH certificates to access an organization resources was disabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "user", + "user_agent", + "operation_type", + "_document_id", + "request_id", + "org", + "org_id", + "created_at", + "actor", + "action", + "user_id", + "business", + "business_id", + "@timestamp", + "actor_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.enable", "description": "The requirement for members to use SSH certificates to access an organization resources was enabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "actor_id", + "user_id", + "org", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user", + "action", + "org_id", + "created_at", + "user_agent" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "staff.set_domain_token_expiration", "description": "The verification code expiry time for an organization or enterprise domain was set.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "business_id", + "token_expires_at", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "staff.unverify_domain", "description": "An organization or enterprise domain was unverified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "staff.verify_domain", "description": "An organization or enterprise domain was verified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "domain_name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "successor_invitation.accept", "description": "Triggered when you accept a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.cancel", "description": "Triggered when you cancel a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.create", "description": "Triggered when you create a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.decline", "description": "Triggered when you decline a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "successor_invitation.revoke", "description": "Triggered when you revoke a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "team.add_member", "description": "A member of an organization was added to a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team", + "fields": [ + "user_agent", + "request_id", + "org_id", + "user_id", + "team", + "user", + "@timestamp", + "actor_id", + "created_at", + "operation_type", + "_document_id", + "org", + "action", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team" }, { "action": "team.add_repository", "description": "A team was given access and permissions to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "team", + "action", + "operation_type", + "request_id", + "created_at", + "@timestamp", + "org", + "repo", + "actor_id", + "_document_id", + "repo_id", + "user_agent", + "org_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "team.change_parent_team", "description": "A child team was created or a child team's parent was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy", + "fields": [ + "org", + "@timestamp", + "created_at", + "_document_id", + "team", + "action", + "operation_type", + "actor", + "request_id", + "actor_id", + "user_agent", + "org_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy" }, { "action": "team.change_privacy", "description": "A team's privacy level was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/changing-team-visibility", + "fields": [ + "user_agent", + "request_id", + "org", + "action", + "team", + "created_at", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "actor", + "_document_id" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility" }, { "action": "team.create", "description": "A new team is created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "org_id", + "user_agent", + "team", + "org", + "actor", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "team.demote_maintainer", "description": "A user was demoted from a team maintainer to a team member.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member" }, { "action": "team.destroy", "description": "A team was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "team", + "org_id", + "actor_id", + "actor", + "action", + "@timestamp", + "user_agent", + "request_id", + "operation_type", + "_document_id", + "programmatic_access_type" + ] }, { "action": "team_discussions.clear", "description": "An organization owner cleared the setting to allow team discussions for an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "business_id", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "actor_id", + "user", + "business", + "action", + "request_id", + "created_at", + "user_id", + "_document_id" + ] }, { "action": "team_discussions.disable", "description": "Team discussions were disabled for an organization.", "docs_reference_links": "/organizations/organizing-members-into-teams/disabling-team-discussions-for-your-organization", + "fields": [ + "org_id", + "action", + "operation_type", + "request_id", + "actor", + "org", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "_document_id" + ], "docs_reference_titles": "Organizations and teams documentation" }, { "action": "team_discussions.enable", "description": "Team discussions were enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "@timestamp", + "action", + "_document_id", + "user_agent", + "user_id", + "business_id", + "request_id", + "user", + "business", + "operation_type", + "actor", + "created_at" + ] }, { "action": "team.promote_maintainer", "description": "A user was promoted from a team member to a team maintainer.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer" }, { "action": "team.remove_member", "description": "An organization member was removed from a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team", + "fields": [ + "request_id", + "operation_type", + "created_at", + "actor_id", + "org", + "org_id", + "team", + "user_id", + "actor", + "user", + "action", + "@timestamp", + "user_agent", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team" }, { "action": "team.remove_repository", "description": "A repository was removed from a team's control.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "org_id", + "repo", + "repo_id", + "action", + "_document_id", + "actor", + "@timestamp", + "actor_id", + "user_agent", + "created_at", + "team", + "org", + "operation_type", + "programmatic_access_type" + ] }, { "action": "team.rename", "description": "A team's name was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "user_agent", + "created_at", + "team", + "operation_type", + "actor_id", + "org", + "action", + "request_id", + "actor", + "org_id", + "@timestamp", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "team_sync_tenant.disabled", "description": "Team synchronization with a tenant was disabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "action", + "created_at", + "actor", + "request_id", + "org_id", + "actor_id", + "operation_type", + "_document_id", + "@timestamp", + "org", + "user_agent" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team_sync_tenant.enabled", "description": "Team synchronization with a tenant was enabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "org_id", + "business_id", + "actor", + "created_at", + "user_agent", + "@timestamp", + "operation_type", + "business", + "actor_id", + "org", + "request_id", + "action", + "_document_id" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team.update_repository_permission", "description": "A team's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "team", + "org_id", + "@timestamp", + "org", + "_document_id", + "old_permission", + "request_id", + "repo", + "action", + "repo_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "permission", + "new_repo_permission", + "new_repo_base_role", + "old_repo_permission", + "old_repo_base_role", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "trusted_device.register", "description": "A new trusted device was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "trusted_device.remove", "description": "A trusted device was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "two_factor_account_recovery.abort", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "action", + "request_id", + "user_id", + "@timestamp", + "_document_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "two_factor_account_recovery.complete", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "created_at", + "user_id", + "operation_type", + "user", + "_document_id", + "user_agent", + "action" + ] }, { "action": "two_factor_account_recovery.ignore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "created_at", + "user_id", + "operation_type", + "@timestamp", + "user", + "action" + ] }, { "action": "two_factor_account_recovery.staff_approve", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "action", + "_document_id" + ] }, { "action": "two_factor_account_recovery.staff_decline", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user", + "created_at", + "request_id", + "actor_id", + "_document_id" + ] }, { "action": "two_factor_account_recovery.start", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "user_id", + "action", + "_document_id", + "request_access_security_header" + ] }, { "action": "two_factor_account_recovery.two_factor_destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "user", + "_document_id", + "request_id" + ] }, { "action": "two_factor_authentication.add_factor", "description": "A secondary authentication factor was added to a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.disabled", "description": "Two-factor authentication was disabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/disabling-two-factor-authentication-for-your-personal-account", + "fields": [ + "actor", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "actor_id", + "created_at", + "operation_type", + "request_id", + "@timestamp", + "request_access_security_header" + ], "docs_reference_titles": "Disabling two-factor authentication for your personal account" }, { "action": "two_factor_authentication.enabled", "description": "Two-factor authentication was enabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "operation_type", + "user_agent", + "action", + "created_at", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Configuring two-factor authentication" }, { "action": "two_factor_authentication.password_reset_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user", + "user_id", + "action", + "@timestamp", + "request_id", + "_document_id", + "user_agent" + ] }, { "action": "two_factor_authentication.recovery_codes_regenerated", "description": "Two factor recovery codes were regenerated for a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "action", + "user", + "user_agent", + "actor_id", + "@timestamp", + "created_at" + ] }, { "action": "two_factor_authentication.remove_factor", "description": "A secondary authentication factor was removed from a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.sign_in_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "operation_type", + "user_id", + "user", + "user_agent", + "created_at", + "_document_id", + "action", + "@timestamp" + ] }, { "action": "two_factor_authentication.update_fallback", "description": "The two-factor authentication fallback for a user account was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "user", + "user_id", + "operation_type", + "user_agent", + "action", + "request_id", + "actor", + "actor_id" + ] }, { "action": "user.add_email", "description": "An email address was added to a user account.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account", + "fields": [ + "action", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "_document_id", + "actor_id", + "actor", + "email", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account" }, { "action": "user.async_delete", "description": "An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "created_at", + "user", + "@timestamp", + "_document_id", + "request_id", + "actor_id", + "operation_type", + "user_agent", + "action", + "request_access_security_header" + ] }, { "action": "user.audit_log_export", "description": "Audit log entries were exported.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "action", + "request_id", + "actor", + "@timestamp", + "_document_id", + "user_agent", + "user_id", + "operation_type", + "created_at" + ] }, { "action": "user.block_user", "description": "A user was blocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_id", + "_document_id", + "actor_id", + "@timestamp", + "user_agent", + "user", + "request_id", + "blocked_user", + "operation_type", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.change_password", "description": "A user changed their password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "actor", + "user", + "user_id", + "action", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.codespaces_trusted_repo_access_granted", "description": "Triggered when you allow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.codespaces_trusted_repo_access_revoked", "description": "Triggered when you disallow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.correct_password_from_unrecognized_device", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "user_agent", + "created_at", + "user", + "action", + "operation_type", + "request_id", + "user_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.correct_password_from_unrecognized_device_and_location", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "_document_id", + "@timestamp", + "created_at", + "user_agent", + "operation_type", + "request_id", + "user_id", + "action", + "request_access_security_header" + ] }, { "action": "user.correct_password_from_unrecognized_location", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "created_at", + "_document_id", + "user_agent", + "user_id", + "@timestamp", + "user", + "action", + "request_access_security_header" + ] }, { "action": "user.create", "description": "A new user account was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "email", + "user_id", + "operation_type", + "@timestamp", + "request_id", + "user", + "created_at", + "_document_id", + "user_agent", + "actor", + "actor_id", + "action", + "programmatic_access_type" + ] }, { "action": "user.create_integration_secret", "description": "A user secret for Codespaces was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.creation_rate_limit_exceeded", "description": "The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "user_agent", + "_document_id", + "operation_type", + "oauth_application_id", + "action", + "actor", + "actor_id", + "request_id", + "user_id", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.delete", "description": "A user account was destroyed by an asynchronous job.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "user_id", + "actor", + "actor_id", + "user", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.demote", "description": "A site administrator was demoted to an ordinary user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "oauth_application_id", + "action", + "user", + "created_at", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "_document_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.destroy", "description": "A user deleted his or her account, triggering user.async_delete.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "user", + "_document_id", + "created_at", + "user_agent", + "user_id", + "operation_type", + "actor_id", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.device_verification_failure", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user", + "user_agent", + "user_id", + "actor_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.device_verification_requested", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user_id", + "actor", + "operation_type", + "created_at", + "_document_id", + "@timestamp", + "user", + "actor_id", + "action", + "request_access_security_header" + ] }, { "action": "user.device_verification_success", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user", + "_document_id", + "action", + "operation_type", + "user_agent", + "created_at", + "request_id", + "actor", + "actor_id", + "user_id", + "request_access_security_header" + ] }, { "action": "user.disable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user_email.confirm_claim", "description": "An enterprise managed user claimed an email address.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "user_email.mark_as_unclaimed", "description": "N/A", "docs_reference_links": "An enterprise managed user unclaimed an email address.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "An, GitHub Help Documentation, managed, user, unclaimed, an, email, address." }, { "action": "user.enable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.failed_login", "description": "A user tried to sign in with an incorrect username, password, or two-factor authentication code.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "operation_type", + "request_id", + "created_at", + "_document_id", + "@timestamp", + "user", + "org_id", + "actor", + "actor_id", + "user_agent" + ] }, { "action": "user.flag_as_large_scale_contributor", "description": "A user account was flagged as a large scale contributor. Only contributions from public repositories the user owns will be shown in their contribution graph, in order to prevent timeouts.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "operation_type", + "@timestamp", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "user_agent", + "created_at" + ] }, { "action": "user.forgot_password", "description": "A user requested a password reset.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials", + "fields": [ + "action", + "_document_id", + "user_agent", + "request_id", + "user", + "operation_type", + "@timestamp", + "email", + "created_at", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials" }, { "action": "user.grant_github_developer", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "created_at", + "user_agent", + "@timestamp", + "_document_id", + "user", + "user_id", + "actor", + "operation_type", + "request_id" + ] }, { "action": "user.hide_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.login", "description": "A user signed in.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user_id", + "actor_id", + "@timestamp", + "user", + "action", + "operation_type", + "_document_id", + "request_id", + "created_at", + "actor", + "passkey_nickname", + "request_access_security_header" + ] }, { "action": "user.logout", "description": "A user signed out.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.minimize_comment", "description": "A comment made by a user was minimized.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "actor", + "actor_id", + "@timestamp", + "created_at", + "operation_type", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.new_device_used", "description": "A user signed in from a new device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "action", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ] }, { "action": "user.partial_two_factor_email_followup", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "_document_id", + "action", + "@timestamp", + "created_at", + "user", + "request_access_security_header" + ] }, { "action": "user.promote", "description": "An ordinary user account was promoted to a site administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "actor", + "actor_id", + "user", + "@timestamp", + "created_at", + "user_agent", + "oauth_application_id", + "request_id", + "operation_type", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.recreate", "description": "A user's account was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user", + "action", + "actor_id", + "@timestamp", + "_document_id", + "request_id", + "user_id", + "created_at", + "actor", + "operation_type" + ] }, { "action": "user.remove_email", "description": "An email address was removed from a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "@timestamp", + "_document_id", + "request_id", + "user", + "user_id", + "operation_type", + "actor", + "actor_id", + "created_at", + "email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.remove_integration_secret", "description": "A user secret for Codespaces was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.remove_large_scale_contributor_flag", "description": "A user account was no longer flagged as a large scale contributor.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.rename", "description": "A username was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "request_id", + "actor_id", + "old_login", + "created_at", + "_document_id", + "actor", + "user_id", + "@timestamp", + "operation_type", + "user_agent", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.report_abuse", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "user_agent", + "request_id", + "action", + "@timestamp", + "created_at", + "org_id", + "_document_id", + "actor", + "actor_id", + "user", + "operation_type" + ] }, { "action": "user.report_content", "description": "Triggered when you report an issue or pull request, or a comment on an issue, pull request, or commit.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam", + "fields": [ + "org_id", + "request_id", + "user", + "user_agent", + "action", + "created_at", + "actor", + "operation_type", + "actor_id", + "user_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam" }, { "action": "user.reset_password", "description": "A user reset their account password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "user", + "request_id", + "user_id", + "created_at", + "@timestamp", + "_document_id", + "actor", + "operation_type", + "request_access_security_header" + ] }, { "action": "user_session.country_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_id", + "action", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "user.show_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "@timestamp", + "_document_id", + "request_id", + "user_id", + "action", + "actor", + "user", + "operation_type", + "user_agent", + "actor_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.sign_in_from_unrecognized_device", "description": "A user signed in from an unrecognized device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "operation_type", + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.sign_in_from_unrecognized_device_and_location", "description": "A user signed in from an unrecognized device and location.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "request_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.sign_in_from_unrecognized_location", "description": "A user signed in from an unrecognized location.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "action", + "operation_type", + "user_agent", + "user", + "_document_id", + "actor", + "created_at", + "actor_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user_status.destroy", "description": "Triggered when you clear the status on your profile.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_id", + "actor", + "message", + "user", + "actor_id", + "created_at", + "request_id", + "limited_availability", + "action", + "emoji", + "operation_type", + "user_agent", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user_status.update", "description": "Triggered when you set or change the status on your profile.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status", + "fields": [ + "limited_availability", + "user", + "action", + "actor_id", + "message", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "emoji", + "org", + "actor", + "operation_type", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status" }, { "action": "user.suspend", "description": "A user account was suspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "operation_type", + "actor_id", + "user", + "user_agent", + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user_id", + "action", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.toggle_warn_private_email", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user", + "actor_id", + "@timestamp", + "operation_type", + "_document_id", + "user_agent", + "actor", + "action", + "user_id", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_failure", "description": "A 2FA challenge issued for a user account failed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "_document_id", + "user_agent", + "user", + "actor_id", + "actor", + "user_id", + "@timestamp", + "action", + "request_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_success", "description": "A 2FA challenge issued for a user account succeeded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_id", + "operation_type", + "actor_id", + "user", + "actor", + "user_agent", + "request_id", + "action", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_recover", "description": "A user used their 2FA recovery codes.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "user_agent", + "request_id", + "user", + "action", + "actor", + "actor_id", + "created_at", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_downloaded", "description": "A user downloaded 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "actor_id", + "user", + "request_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_printed", "description": "A user printed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "user_agent", + "request_id", + "user_id", + "created_at", + "_document_id", + "actor", + "actor_id", + "@timestamp" + ] }, { "action": "user.two_factor_recovery_codes_viewed", "description": "A user viewed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_agent", + "actor", + "user_id", + "action", + "created_at", + "user", + "operation_type", + "@timestamp", + "request_id", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_requested", "description": "A user was prompted for a two-factor authentication code.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication", + "fields": [ + "user", + "actor_id", + "action", + "user_agent", + "request_id", + "created_at", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "actor" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication" }, { "action": "user.unblock_user", "description": "A user was unblocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "_document_id", + "blocked_user", + "operation_type", + "actor", + "@timestamp", + "user_agent", + "user_id", + "user", + "created_at", + "request_access_security_header" + ] }, { "action": "user.unminimize_comment", "description": "A comment made by a user was unminimized.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user_agent", + "_document_id", + "actor_id", + "user", + "user_id", + "operation_type", + "request_id", + "actor", + "action", + "created_at" + ] }, { "action": "user.unsuspend", "description": "A user account was unsuspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "user", + "action", + "user_agent", + "actor", + "oauth_application_id", + "operation_type", + "actor_id", + "created_at", + "@timestamp", + "user_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.update_integration_secret", "description": "A user secret for Codespaces was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.update_new_repository_default_branch_setting", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.bypass_protection_rules", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "workflows.cancel_workflow_run", "description": "A workflow run was cancelled.", "docs_reference_links": "/actions/managing-workflow-runs/canceling-a-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "cancelled_at", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Canceling a workflow" }, { "action": "workflows.comment_workflow_job", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.completed_workflow_run", "description": "A workflow status changed to completed. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "completed_at", + "conclusion", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Viewing workflow run history" }, { "action": "workflows.created_workflow_run", "description": "A workflow run was create. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/learn-github-actions/understanding-github-actions#create-an-example-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Understanding GitHub Actions" }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { "action": "workflows.disable_workflow", "description": "A workflow was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.enable_workflow", "description": "A workflow was enabled, after previously being disabled by disable_workflow.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "workflows.pin_workflow", "description": "A workflow was pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.prepared_workflow_job", "description": "A workflow job was started. Includes the list of secrets that were provided to the job. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/using-workflows/events-that-trigger-workflows", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "business_id", + "business", + "workflow_run_id", + "job_name", + "runner_labels", + "is_hosted_runner", + "environment_name", + "secrets_passed", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp", + "runner_owner_type", + "job_workflow_ref", + "calling_workflow_refs", + "calling_workflow_shas", + "imposer_repo" + ], "docs_reference_titles": "Events that trigger workflows" }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.rerun_workflow_run", "description": "A workflow run was re-run.", "docs_reference_links": "/actions/managing-workflow-runs/re-running-workflows-and-jobs", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "rerun_type", + "check_run_id", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Re-running workflows and jobs" }, { "action": "workflows.unpin_workflow", "description": "A workflow was unpinned after previously being pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/ghes-3.18/organization.json b/src/audit-logs/data/ghes-3.18/organization.json index 16bdc5469cc8..46fb378157bf 100644 --- a/src/audit-logs/data/ghes-3.18/organization.json +++ b/src/audit-logs/data/ghes-3.18/organization.json @@ -2,4128 +2,16900 @@ { "action": "account.billing_date_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "operation_type", + "user_agent", + "_document_id", + "created_at", + "action", + "request_id", + "actor", + "actor_id", + "org_id" + ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { "action": "actions_cache.delete", "description": "A GitHub Actions cache was deleted using the REST API.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "user_id", + "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "advisory_credit.accept", "description": "Credit was accepted for a security advisory.", "docs_reference_links": "/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory" }, { "action": "advisory_credit.create", "description": "Someone was added to the credit section of a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "advisory_credit.decline", "description": "Credit was declined for a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "advisory_credit.destroy", "description": "Someone was removed from the credit section of a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "ghsa_id", + "repo", + "repo_id", + "recipient", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "artifact.destroy", "description": "A workflow run artifact was manually deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_agent", + "actor_id", + "repo", + "repo_id", + "request_id", + "@timestamp", + "created_at", + "_document_id", + "operation_type", + "programmatic_access_type" + ] }, { "action": "auto_approve_personal_access_token_requests.disable", "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources. See also: personal_access_token.auto_approve_grant_requests_disabled", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization" }, { "action": "auto_approve_personal_access_token_requests.enable", "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval. See also: personal_access_token.auto_approve_grant_requests_enabled", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization" }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.lock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "@timestamp", + "actor_id", + "operation_type", + "_document_id", + "request_id", + "actor", + "user", + "user_id", + "user_agent", + "created_at", + "action" + ] }, { "action": "billing.unlock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "operation_type", + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.delete_logs", "description": "Logs in a check suite were deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "actor_id", + "operation_type", + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" + ] }, { "action": "code_scanning.alert_appeared_in_branch", "description": "Existing code scanning alerts appeared in a branch.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_became_fixed", "description": "Code scanning alerts were fixed.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_became_outdated", "description": "Code scanning alerts were closed as outdated (all configurations they were detected in were deleted).", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_numbers", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closed_by_user", "description": "Code scanning alerts were manually dismissed.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "actor_id", + "request_id", + "actor", + "org_id", + "org", + "business_id", + "business", + "alert_numbers", + "dismissal_approver_id" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_approved", "description": "Dismissal of code scanning alerts was approved.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_denied", "description": "Dismissal of code scanning alerts was denied.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_closure_requested", "description": "Dismissal of code scanning alerts was requested.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "dismissal_request_id", + "alert_number", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_created", "description": "Code scanning alerts were seen for the first time.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_reappeared", "description": "Code scanning alerts that were previously fixed reappeared.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "commit_oid", + "ref", + "request_id", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "code_scanning.alert_reopened_by_user", "description": "Code scanning alerts that were previously dismissed were reopened.", "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning", + "fields": [ + "repo_id", + "alert_number", + "actor_id", + "request_id", + "actor", + "org_id", + "org", + "business_id", + "business", + "alert_numbers" + ], "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning" }, { "action": "codespaces.allow_permissions", "description": "A codespace using custom permissions from its devcontainer.json file was launched.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "origin_repository", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.attempted_to_create_from_prebuild", "description": "An attempt to create a codespace from a prebuild was made.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "owner", + "pull_request_id", + "repository", + "repository_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "codespaces.business_enablement_updated", "description": "Enterprise setting for Codespaces ownership was updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enablement", + "organization_names", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization" }, { "action": "codespaces.connect", "description": "Credentials for a codespace were refreshed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { "action": "codespaces.export_environment", "description": "A codespace was exported to a branch on GitHub.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "codespaces.policy_group_created", "description": "Policies were applied to codespaces in an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.policy_group_deleted", "description": "Policies were removed from codespaces in an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "codespaces.policy_group_updated", "description": "Policies were updated for codespaces in an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "codespaces.restore", "description": "A codespace was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.start_environment", "description": "A codespace was started.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "org", + "owner", + "pull_request_id", + "machine_type", + "user_id", + "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "codespaces.suspend_environment", "description": "A codespace was stopped.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "commit_comment.destroy", "description": "A commit comment was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "repo", + "org", + "org_id", + "created_at", + "@timestamp", + "operation_type", + "repo_id", + "actor_id", + "request_id", + "_document_id", + "user_agent", + "action", + "programmatic_access_type" + ] }, { "action": "commit_comment.update", "description": "A commit comment was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "repo_id", + "actor", + "org", + "request_id", + "action", + "@timestamp", + "repo", + "org_id", + "actor_id", + "created_at", + "user_agent", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "copilot.access_revoked", "description": "Copilot access was revoked for the organization or enterprise due to its Copilot subscription ending, an issue with billing the entity, the entity being marked spammy, or the entity being suspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "reason", + "plan", + "org_id", + "owner", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "copilot.cfb_org_settings_changed", "description": "Copilot feature settings were changed at the organization level.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_added", "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { "action": "copilot.cfb_seat_assignment_refreshed", "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_reused", "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_assignment_unassigned", "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "seat_assignment", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled_by_staff", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.cfb_seat_management_changed", "description": "The seat management setting was changed at the organization level to either enable or disable Copilot access for all members of the organization, or to enable Copilot access for selected members or teams.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_value", + "new_value", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "copilot.content_exclusion_changed", "description": "The excluded paths for GitHub Copilot were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "excluded_paths", + "owner_type", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.custom_instructions_created", "description": "Copilot custom instructions were created for the organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "custom_instructions" + ] }, { "action": "copilot.custom_instructions_updated", "description": "Copilot custom instructions were updated for the organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "custom_instructions" + ] }, { "action": "copilot.knowledge_base_created", "description": "A knowledge base was created in the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.knowledge_base_deleted", "description": "A knowledge base was deleted from the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.knowledge_base_updated", "description": "A knowledge base was updated in the organization.", "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases", - "docs_reference_titles": "Managing Copilot knowledge bases" + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "knowledge_base_name", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], + "docs_reference_titles": "Creating and managing Copilot knowledge bases" }, { "action": "copilot.plan_changed", "description": "The plan for GitHub Copilot was updated.", "docs_reference_links": "/billing/managing-billing-for-github-copilot/about-billing-for-github-copilot", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_plan", + "plan", + "business_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "About billing for GitHub Copilot" }, { "action": "copilot.plan_downgrade_scheduled", "description": "The plan for GitHub Copilot was scheduled to be downgraded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "owner", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "current_plan", + "scheduled_plan" + ] }, { "action": "copilot.swe_agent_repo_disabled", "description": "Specific repositories were disabled from using Copilot coding agent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "owner_type", + "actor_id", + "owner", + "repo", + "repo_id", + "public_repo", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.swe_agent_repo_enabled", "description": "Specific repositories were enabled to use Copilot coding agent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "org_id", + "owner_type", + "owner", + "repo", + "repo_id", + "public_repo", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.swe_agent_repo_enablement_updated", "description": "Copilot coding agent access was updated for the organization's or user's repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "new_access", + "old_access", + "org_id", + "owner_type", + "owner", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_property_definition.create", "description": "A new custom property definition was created.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.destroy", "description": "A custom property definition was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "value_type", + "required", + "default_value", + "definition_id", + "allowed_values" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_definition.update", "description": "A custom property definition was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "property_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "value_type", + "required", + "default_value", + "old_allowed_values", + "allowed_values", + "definition_id", + "old_required", + "old_default_value", + "old_value_type", + "old_values_editable_by", + "values_editable_by", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.create", "description": "A repository's custom property value was manually set for the first time.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "definition_id", + "property_name", + "value", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.destroy", "description": "A repository's custom property value was deleted.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "custom_property_value.update", "description": "A repository's custom property value was updated.", "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repository", + "repository_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "definition_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization" }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_repository_access.default_access_level_updated", "description": "The default repository access for Dependabot was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "org", + "org_id", + "access_level", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "dependabot_repository_access.repositories_updated", "description": "The repositories that Dependabot can access were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates.enable", "description": "Dependabot security updates were enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates_new_repos.enable", "description": "Dependabot security updates were enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph.enable", "description": "The dependency graph was enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph_new_repos.enable", "description": "The dependency graph was enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "discussion_comment.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "repo_id", + "request_id", + "action", + "actor", + "org_id", + "_document_id", + "actor_id", + "operation_type", + "@timestamp", + "created_at", + "user_agent", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "discussion_comment.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "@timestamp", + "actor", + "user_agent", + "request_id", + "org", + "_document_id", + "actor_id", + "operation_type", + "created_at", + "repo", + "org_id", + "action", + "request_access_security_header" + ] }, { "action": "discussion.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "user_agent", + "actor_id", + "org_id", + "actor", + "org", + "action", + "operation_type", + "@timestamp", + "request_id", + "title", + "_document_id", + "created_at", + "repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "discussion_post.destroy", "description": "Triggered when a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "request_id", + "team", + "created_at", + "user_id", + "@timestamp", + "number", + "org", + "title", + "actor", + "actor_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.destroy", "description": "Triggered when a reply to a team discussion post is deleted.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment", + "fields": [ + "actor_id", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user_id", + "actor", + "number", + "user", + "created_at", + "request_id", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment" }, { "action": "discussion_post_reply.update", "description": "Triggered when a reply to a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "action", + "_document_id", + "request_id", + "org", + "@timestamp", + "actor_id", + "operation_type", + "user", + "user_id", + "org_id", + "user_agent", + "actor", + "number", + "team", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "discussion_post.update", "description": "Triggered when a team discussion post is edited.", "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment", + "fields": [ + "created_at", + "_document_id", + "title", + "user", + "user_agent", + "org", + "operation_type", + "actor_id", + "@timestamp", + "actor", + "team", + "action", + "org_id", + "request_id", + "user_id", + "number" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment" }, { "action": "enterprise_announcement.create", "description": "A global announcement banner was created for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global-announcement-banner", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.destroy", "description": "A global announcement banner was removed from the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_announcement.update", "description": "A global announcement banner was updated for the enterprise.", "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner", + "owner_type", + "business_id", + "message", + "old_message", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Customizing user messages for your enterprise" }, { "action": "enterprise_installation.create", "description": "The GitHub App associated with a GitHub Connect connection was created.", "docs_reference_links": "/admin/configuration/configuring-github-connect/managing-github-connect", + "fields": [ + "created_at", + "operation_type", + "@timestamp", + "_document_id", + "org_id", + "action", + "request_id", + "org", + "actor_id", + "user_agent", + "actor" + ], "docs_reference_titles": "Enabling GitHub Connect for GitHub.com" }, { "action": "enterprise_installation.destroy", "description": "The GitHub App associated with a GitHub Connect connection was deleted.", "docs_reference_links": "/admin/configuration/configuring-github-connect/managing-github-connect", + "fields": [ + "created_at", + "_document_id", + "action", + "@timestamp", + "actor_id", + "actor", + "user_agent", + "org", + "operation_type", + "request_id", + "org_id" + ], "docs_reference_titles": "Enabling GitHub Connect for GitHub.com" }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.delete", "description": "An environment was deleted.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_secret", "description": "A secret was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "git.clone", "description": "A repository was cloned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.fetch", "description": "Changes were fetched from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "git.push", "description": "Changes were pushed to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "transport_protocol", + "request_id", + "repository", + "repository_id", + "repository_public", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "user", + "user_id", + "transport_protocol_name" + ] }, { "action": "github_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "github_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "github_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "hook.active_changed", "description": "A hook's active status was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "hook.config_changed", "description": "A hook's configuration was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "name", + "org", + "user_agent", + "request_id", + "hook_id", + "repo", + "repo_id", + "created_at", + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { "action": "hook.destroy", "description": "A hook was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", + "operation_type", + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.events_changed", "description": "A hook's configured events were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "operation_type", + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "integration.create", "description": "A GitHub App was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "@timestamp", + "actor", + "user_agent", + "actor_id", + "request_id", + "name", + "user_id", + "_document_id", + "integration", + "created_at", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration.destroy", "description": "A GitHub App was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "actor_id", + "request_id", + "@timestamp", + "name", + "integration", + "user", + "_document_id", + "action", + "operation_type", + "created_at", + "user_agent" + ] }, { "action": "integration.generate_client_secret", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation_request.close", "description": "A request to install a GitHub App was either approved or denied by an owner, or canceled by the member who opened the request.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "url", + "actor", + "actor_id", + "created_at", + "request_id", + "operation_type", + "@timestamp", + "integration", + "action", + "user_agent", + "reason", + "_document_id", + "org", + "org_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation_request.create", "description": "A member requested that an owner install a GitHub App.", "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner", + "fields": [ + "@timestamp", + "actor_id", + "org", + "_document_id", + "requester", + "action", + "user_agent", + "created_at", + "url", + "org_id", + "request_id", + "operation_type", + "actor", + "integration", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { "action": "integration.remove_client_secret", "description": "A client secret for a GitHub App was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "integration.revoke_all_tokens", "description": "All user tokens for a GitHub App were requested to be revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.revoke_tokens", "description": "Token(s) for a GitHub App were revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" }, { "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "ip_allow_list.disable", "description": "An IP allow list was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "actor", + "request_id", + "org", + "user_agent", + "_document_id", + "user_id", + "actor_id", + "created_at", + "org_id", + "action", + "@timestamp", + "user" + ] }, { "action": "ip_allow_list.disable_for_installed_apps", "description": "An IP allow list was disabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list.enable", "description": "An IP allow list was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "business", + "user_id", + "request_id", + "actor", + "user", + "business_id", + "_document_id", + "action", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "org", + "created_at" + ] }, { "action": "ip_allow_list.enable_for_installed_apps", "description": "An IP allow list was enabled for installed GitHub Apps.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "ip_allow_list_entry.create", "description": "An IP address was added to an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "active", + "org", + "ip_allow_list_entry", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "actor_id", + "business_id", + "org_id", + "business", + "actor", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.destroy", "description": "An IP address was deleted from an IP allow list.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "ip_allow_list_entry", + "org", + "operation_type", + "created_at", + "active", + "action", + "@timestamp", + "business", + "business_id", + "user_agent", + "org_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "ip_allow_list_entry.update", "description": "An IP address or its description was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "actor", + "org", + "action", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "ip_allow_list_entry", + "active", + "org_id", + "@timestamp" + ] }, { "action": "issue_comment.destroy", "description": "A comment on an issue was deleted from the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "org", + "repo", + "actor_id", + "@timestamp", + "created_at", + "_document_id", + "action", + "operation_type", + "user_agent", + "repo_id", + "actor", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "issue_comment.update", "description": "A comment on an issue (other than the initial one) changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "action", + "repo_id", + "org_id", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "_document_id", + "actor_id", + "actor", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "issue.destroy", "description": "An issue was deleted from the repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/deleting-an-issue", + "fields": [ + "user", + "actor_id", + "created_at", + "title", + "@timestamp", + "_document_id", + "request_id", + "actor", + "user_id", + "action", + "operation_type", + "user_agent", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting an issue" }, { "action": "issue.pinned", "description": "An issue was pinned to a repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository", + "fields": [ + "_document_id", + "user_agent", + "actor_id", + "created_at", + "action", + "actor", + "operation_type", + "owner_type", + "@timestamp", + "repo_id", + "request_id", + "number", + "repo", + "event", + "user", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "Pinning an issue to your repository" }, { "action": "issue.transfer", "description": "An issue was transferred to another repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/transferring-an-issue-to-another-repository", + "fields": [ + "user", + "user_id", + "@timestamp", + "user_agent", + "owner_type", + "actor_id", + "number", + "repo", + "operation_type", + "_document_id", + "repo_id", + "action", + "request_id", + "created_at", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "Transferring an issue to another repository" }, { "action": "issue_type.create", "description": "An issue type was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "issue_type_name", + "description", + "color", + "enabled", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "issue_type.destroy", "description": "An issue type was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "issue_type_name", + "description", + "color", + "enabled", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "issue_type.update", "description": "An issue type was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "issue_type_name", + "description", + "color", + "enabled", + "old_issue_type_name", + "old_description", + "old_color", + "old_enabled", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "issue.unpinned", "description": "An issue was unpinned from a repository.", "docs_reference_links": "/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository", + "fields": [ + "event", + "user_agent", + "actor_id", + "repo_id", + "actor", + "action", + "created_at", + "request_id", + "repo", + "operation_type", + "_document_id", + "number", + "owner_type", + "@timestamp", + "user", + "user_id", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Pinning an issue to your repository" }, { "action": "issues.deletes_disabled", "description": "The ability for enterprise members to delete issues was disabled Members cannot delete issues in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "user_agent", + "action", + "@timestamp", + "operation_type", + "request_id", + "actor_id", + "user_id", + "created_at", + "_document_id", + "actor", + "user", + "org", + "org_id" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "issues.deletes_enabled", "description": "The ability for enterprise members to delete issues was enabled Members can delete issues in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "operation_type" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "issues.deletes_policy_cleared", "description": "An enterprise owner cleared the policy setting for allowing members to delete issues in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues", + "fields": [ + "user", + "request_id", + "actor", + "business_id", + "action", + "operation_type", + "user_agent", + "created_at", + "@timestamp", + "_document_id", + "business", + "user_id", + "actor_id" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "marketplace_agreement_signature.create", "description": "The GitHub Marketplace Developer Agreement was signed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "actor_id", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "created_at", + "action", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "marketplace_listing.approve", "description": "A listing was approved for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "secondary_category", + "actor", + "primary_category", + "user", + "@timestamp", + "_document_id", + "user_id", + "user_agent", + "operation_type", + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" + ] }, { "action": "marketplace_listing.change_category", "description": "A category for a listing for an app in GitHub Marketplace was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", + "@timestamp", + "integration", + "org_id", + "action", + "org", + "secondary_category", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ] }, { "action": "marketplace_listing.create", "description": "A listing for an app in GitHub Marketplace was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", + "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", + "actor", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "marketplace_listing.delist", "description": "A listing was removed from GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "created_at", + "secondary_category", + "operation_type", + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" + ] }, { "action": "marketplace_listing.redraft", "description": "A listing was sent back to draft state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", + "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", + "actor", + "created_at", + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" + ] }, { "action": "marketplace_listing.reject", "description": "A listing was not accepted for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "members_can_create_pages.disable", "description": "The ability for members to publish GitHub Pages sites was disabled.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_pages.enable", "description": "The ability for members to publish GitHub Pages sites was enabled.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_private_pages.disable", "description": "The ability for members to publish private GitHub Pages was disabled Members cannot publish private GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_private_pages.enable", "description": "The ability for members to publish private GitHub Pages was enabled Members can publish private GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_public_pages.disable", "description": "The ability for members to publish public GitHub Pages was disabled Members cannot publish public GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_create_public_pages.enable", "description": "The ability for members to publish public GitHub Pages was enabled Members can publish public GitHub Pages in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization" }, { "action": "members_can_delete_repos.clear", "description": "An enterprise owner cleared the policy setting for deleting or transferring repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "_document_id", + "request_id", + "user", + "user_id", + "business", + "operation_type", + "user_agent", + "actor", + "actor_id", + "business_id", + "@timestamp", + "created_at", + "action" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_delete_repos.disable", "description": "The ability for enterprise members to delete repositories was disabled Members cannot delete or transfer repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "request_id", + "org", + "_document_id", + "actor_id", + "user", + "user_id", + "user_agent", + "actor", + "operation_type", + "org_id", + "action", + "@timestamp", + "created_at" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_delete_repos.enable", "description": "The ability for enterprise members to delete repositories was enabled Members can delete or transfer repositories in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer", + "fields": [ + "action", + "org_id", + "user_id", + "business", + "actor_id", + "@timestamp", + "_document_id", + "request_id", + "user", + "business_id", + "created_at", + "actor", + "org", + "operation_type", + "user_agent" + ], "docs_reference_titles": "Enforcing repository management policies in your enterprise" }, { "action": "members_can_view_dependency_insights.clear", "description": "An enterprise owner cleared the policy setting for viewing dependency insights in any organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "created_at", + "request_id", + "actor", + "action", + "operation_type" + ] }, { "action": "members_can_view_dependency_insights.disable", "description": "The ability for enterprise members to view dependency insights was disabled. Members cannot view dependency insights in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-dependency-insights-in-your-enterprise", + "fields": [ + "business", + "created_at", + "user_id", + "business_id", + "user", + "org", + "operation_type", + "request_id", + "actor", + "_document_id", + "action", + "user_agent", + "actor_id", + "org_id", + "@timestamp" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "members_can_view_dependency_insights.enable", "description": "The ability for enterprise members to view dependency insights was enabled. Members can view dependency insights in any organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-dependency-insights-in-your-enterprise", + "fields": [ + "request_id", + "created_at", + "_document_id", + "user_agent", + "user", + "user_id", + "business", + "business_id", + "operation_type", + "@timestamp", + "action", + "actor", + "actor_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "merge_queue.pull_request_dequeued", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "merge_queue.pull_request_queue_jump", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.queue_cleared", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.update_settings", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "metered_billing_configuration.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "_document_id", + "user_id", + "action", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "metered_billing_configuration.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "metered_billing_configuration.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "org", + "created_at", + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" + ] }, { "action": "migration.create", "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org_id", + "_document_id", + "org", + "repo_id", + "action", + "actor", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "migration.destroy_file", "description": "A migration file for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "org_id", + "action", + "operation_type", + "created_at", + "repo", + "_document_id", + "repo_id", + "request_access_security_header" + ] }, { "action": "migration.download", "description": "A migration file for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance was downloaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "org_id", + "request_id", + "oauth_application_id", + "repo_id", + "operation_type", + "@timestamp", + "user_agent", + "created_at", + "org", + "action", + "_document_id", + "repo", + "actor", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "network_configuration.create", "description": "A network configuration for a hosted compute service was created.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "selected_service", + "network_settings_ids", + "previous_settings_ids", + "network_configuration_id" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "network_configuration.delete", "description": "A network configuration for a hosted compute service was deleted.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "network_configuration_id" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "network_configuration.update", "description": "A network configuration for a hosted compute service was updated.", "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "selected_service", + "network_settings_ids", + "previous_settings_ids" + ], "docs_reference_titles": "About networking for hosted compute products in your enterprise" }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.generate_client_secret", "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "org.accept_business_invitation", "description": "An invitation sent to an organization to join an enterprise was accepted.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.add_billing_manager", "description": "A billing manager was added to an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization", + "fields": [ + "operation_type", + "_document_id", + "user_agent", + "org", + "user_id", + "action", + "created_at", + "org_id", + "user", + "actor", + "actor_id", + "@timestamp", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization" }, { "action": "org.add_disallowed_two_factor_method", "description": "An organization prevented access to resources by users with the given two-factor method.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "two_factor_method", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "org.add_member", "description": "A user joined an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "permission", + "_document_id", + "org", + "operation_type", + "request_id", + "actor", + "user", + "@timestamp", + "created_at", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "org.add_outside_collaborator", "description": "An outside collaborator was added to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "inviter", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.add_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.advanced_security_disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_disabled_on_all_repos", "description": "GitHub Advanced Security was disabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_on_all_repos", "description": "GitHub Advanced Security was enabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_entity_policy_update", "description": "An enterprise owner updated the GitHub Advanced Security access policy for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "new_policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_disabled", "description": "An enterprise owner prevented GitHub Advanced Security features from being enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.advanced_security_policy_selected_member_enabled", "description": "An enterprise owner allowed GitHub Advanced Security features to be enabled for repositories owned by the organization.", "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise" }, { "action": "org.allow_third_party_access_requests_from_outside_collaborators_disabled", "description": "Third-party application access for outside collaborators was disabled for the organization.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests" }, { "action": "org.allow_third_party_access_requests_from_outside_collaborators_enabled", "description": "Third-party application access for outside collaborators was enabled for the organization.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests" }, { "action": "org.archive", "description": "The organization was archived.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.audit_log_export", "description": "An export of the organization audit log was created. If the export included a query, the log will list the query used and the number of audit log entries matching that query.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log", + "fields": [ + "org_id", + "operation_type", + "@timestamp", + "request_id", + "_document_id", + "actor", + "org", + "action", + "created_at", + "user_agent", + "actor_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log" }, { "action": "org.audit_log_git_event_export", "description": "An export of the organization's Git events was created.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "start", + "end", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization" }, { "action": "org.billing_signup_error", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_agent", + "action", + "@timestamp", + "actor_id", + "org_id", + "_document_id", + "actor", + "org", + "operation_type" + ] }, { "action": "org.block_user", "description": "An organization owner blocked a user from accessing the organization's repositories.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization", + "fields": [ + "actor", + "user_agent", + "org_id", + "created_at", + "_document_id", + "blocked_user", + "action", + "operation_type", + "actor_id", + "org", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization" }, { "action": "org.cancel_business_invitation", "description": "An invitation for an organization to join an enterprise was revoked", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "initiated_from" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.cancel_invitation", "description": "An invitation sent to a user to join an organization was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "org_id", + "request_id", + "email", + "@timestamp", + "actor", + "action", + "operation_type", + "user_agent", + "org", + "invitation_id", + "_document_id", + "created_at", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.clear_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "org.clear_disallowed_two_factor_methods", "description": "Cleared two-factor authentication restrictions for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "org.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_third_party_tools_disabled", "description": "Autofix for third party tools for code scanning alerts was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.code_scanning_autofix_third_party_tools_enabled", "description": "Autofix for third party tools for code scanning alerts was enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.codeql_disabled", "description": "Code scanning using the default setup was disabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codeql_enabled", "description": "Code scanning using the default setup was enabled for an organization.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale" }, { "action": "org.codespaces_access_updated", "description": "Access to use Codespaces on internal and private repositories was updated for an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/enabling-or-disabling-github-codespaces-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enablement", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/enabling-or-disabling-github-codespaces-for-your-organization" }, { "action": "org.codespaces_ownership_updated", "description": "Ownership and payment for codespaces was updated for an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "owner_type", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization" }, { "action": "org.codespaces_team_access_allowed", "description": "A team has been allowed to use Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.codespaces_team_access_revoked", "description": "A team has been prevented from using Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.codespaces_trusted_repo_access_granted", "description": "GitHub Codespaces was granted trusted repository access to all other repositories in an organization.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "org.codespaces_trusted_repo_access_revoked", "description": "GitHub Codespaces trusted repository access to all other repositories in an organization was revoked.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "org.codespaces_user_access_allowed", "description": "A user has been allowed to use Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.codespaces_user_access_revoked", "description": "A user has been prevented from using Codespaces for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.config.disable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "request_id", + "org", + "action", + "operation_type", + "_document_id", + "actor", + "actor_id", + "@timestamp", + "user_agent", + "org_id", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "operation_type", + "@timestamp", + "created_at", + "user_agent", + "action", + "actor_id", + "org", + "_document_id", + "actor", + "org_id", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "_document_id", + "operation_type", + "actor_id", + "org_id", + "action", + "created_at", + "actor", + "org", + "@timestamp", + "user_agent", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_collaborators_only", "description": "The interaction limit for collaborators only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "actor", + "org", + "org_id", + "request_id", + "operation_type", + "action", + "user_agent" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_contributors_only", "description": "The interaction limit for prior contributors only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor", + "actor_id", + "org_id", + "action", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "org", + "created_at", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users only for an organization was enabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization", + "fields": [ + "actor_id", + "request_id", + "action", + "created_at", + "user_agent", + "actor", + "_document_id", + "org_id", + "operation_type", + "org", + "@timestamp" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization" }, { "action": "org.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.confirm_business_invitation", "description": "An invitation for an organization to join an enterprise was confirmed.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.connect_usage_metrics_export", "description": "Server statistics were exported for the organization.", "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/analyzing-how-your-team-works-with-server-statistics/exporting-server-statistics", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Exporting Server Statistics" }, { "action": "org.create", "description": "An organization was created.", "docs_reference_links": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch", + "fields": [ + "request_id", + "org", + "actor_id", + "actor", + "action", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "org_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch" }, { "action": "org.create_actions_secret", "description": "A GitHub Actions secret was created for an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.create_actions_variable", "description": "A GitHub Actions variable was created for an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "org.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org_credential_authorization.deauthorize", "description": "A member removed the SSO (SAML or OIDC) authorization from a credential that had access to your organization.", "docs_reference_links": "/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor_id", + "org_id", + "business", + "action", + "@timestamp", + "org", + "_document_id", + "business_id", + "actor", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "oauth_credential_type", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Authorizing a personal access token for use with single sign-on" }, { "action": "org_credential_authorization.grant", "description": "A member authorized credentials for use with SAML or OIDC single sign-on.", "docs_reference_links": "/authentication/authenticating-with-saml-single-sign-on", + "fields": [ + "user_agent", + "actor", + "@timestamp", + "created_at", + "org_id", + "business_id", + "operation_type", + "request_id", + "_document_id", + "action", + "actor_id", + "business", + "org", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "oauth_credential_type", + "request_access_security_header", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Authenticating with single sign-on" }, { "action": "org_credential_authorization.revoke", "description": "An owner revoked authorized credentials.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization", + "fields": [ + "actor", + "org", + "@timestamp", + "owner", + "oauth_application_id", + "org_id", + "operation_type", + "action", + "business", + "request_id", + "created_at", + "business_id", + "actor_id", + "_document_id", + "user_agent", + "oauth_credential_type", + "managed_oauth_access_id", + "managed_token_id", + "managed_oauth_scopes", + "managed_token_scopes", + "managed_hashed_token" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.delete", "description": "An organization was deleted by a user or staff.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "@timestamp", + "_document_id", + "created_at", + "actor", + "org_id", + "org", + "action", + "actor_id", + "operation_type", + "request_id", + "request_access_security_header" + ] }, { "action": "org.disable_member_team_creation_permission", "description": "Team creation was limited to owners.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "actor", + "@timestamp", + "_document_id", + "user", + "user_id", + "action", + "created_at", + "actor_id", + "user_agent", + "org", + "org_id", + "operation_type", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.disable_oauth_app_restrictions", "description": "Third-party application access restrictions for an organization were disabled.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "fields": [ + "actor_id", + "org_id", + "action", + "_document_id", + "request_id", + "@timestamp", + "actor", + "org", + "operation_type", + "user_agent", + "created_at" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization" }, { "action": "org.disable_reader_discussion_creation_permission", "description": "An organization owner limited discussion creation to users with at least triage permission in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.disable_saml", "description": "SAML single sign-on was disabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "sso_url", + "issuer", + "action", + "@timestamp", + "_document_id", + "created_at", + "org", + "operation_type" + ] }, { "action": "org.disable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the organization was disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" }, { "action": "org.disable_two_factor_requirement", "description": "A two-factor authentication requirement was disabled for the organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "org_id", + "action", + "actor", + "actor_id", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "user_agent" + ] }, { "action": "org.display_commenter_full_name_disabled", "description": "An organization owner disabled the display of a commenter's full name in an organization. Members cannot see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "user", + "action", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "user_agent", + "org", + "actor_id", + "org_id", + "request_id" + ] }, { "action": "org.display_commenter_full_name_enabled", "description": "An organization owner enabled the display of a commenter's full name in an organization. Members can see a comment author's full name.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_agent", + "request_id", + "actor", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "user", + "action", + "actor_id", + "org_id" + ] }, { "action": "org.enable_member_team_creation_permission", "description": "Team creation by members was allowed.", "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization", + "fields": [ + "org_id", + "user", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "user_agent", + "actor_id", + "org", + "request_id", + "action", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization" }, { "action": "org.enable_oauth_app_restrictions", "description": "Third-party application access restrictions for an organization were enabled.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization", + "fields": [ + "actor_id", + "operation_type", + "org", + "created_at", + "_document_id", + "actor", + "org_id", + "action", + "user_agent", + "request_id", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization" }, { "action": "org.enable_reader_discussion_creation_permission", "description": "An organization owner allowed users with read access to create discussions in an organization", "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization" }, { "action": "org.enable_saml", "description": "SAML single sign-on was enabled for the organization.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization", + "fields": [ + "actor_id", + "action", + "operation_type", + "actor", + "sso_url", + "org", + "created_at", + "@timestamp", + "issuer", + "org_id", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Enabling and testing SAML single sign-on for your organization" }, { "action": "org.enable_source_ip_disclosure", "description": "Display of IP addresses within audit log events for the organization was enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" }, { "action": "org.enable_two_factor_requirement", "description": "Two-factor authentication is now required for the organization.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "actor_id", + "action", + "_document_id", + "org", + "@timestamp", + "actor", + "user_agent", + "org_id", + "operation_type", + "created_at", + "request_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.integration_manager_added", "description": "An organization owner granted a member access to manage all GitHub Apps owned by an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "org_id", + "manager", + "@timestamp", + "request_id", + "actor", + "operation_type", + "_document_id", + "actor_id", + "org", + "action", + "created_at" + ] }, { "action": "org.integration_manager_removed", "description": "An organization owner removed access to manage all GitHub Apps owned by an organization from an organization member.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "@timestamp", + "org", + "user_agent", + "request_id", + "action", + "actor", + "actor_id", + "manager", + "operation_type", + "created_at", + "_document_id" + ] }, { "action": "org.invite_member", "description": "A new user was invited to join an organization.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization", + "fields": [ + "org", + "user_id", + "invitation_id", + "org_id", + "user", + "action", + "operation_type", + "_document_id", + "actor", + "@timestamp", + "created_at", + "user_agent", + "actor_id", + "request_id", + "invitee_email", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization" }, { "action": "org.invite_to_business", "description": "An organization was invited to join an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.members_can_update_protected_branches.disable", "description": "The ability for enterprise members to update protected branches was disabled. Only enterprise owners can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "org.members_can_update_protected_branches.enable", "description": "The ability for enterprise members to update protected branches was enabled. Members of an organization can update protected branches.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "org_id", + "user_agent", + "actor_id", + "user_id", + "operation_type", + "@timestamp", + "created_at", + "request_id", + "_document_id", + "actor", + "user", + "action" + ] }, { "action": "org.oauth_app_access_approved", "description": "Access to an organization was granted for an OAuth App.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization", + "fields": [ + "url", + "actor", + "user_agent", + "request_id", + "actor_id", + "operation_type", + "org_id", + "_document_id", + "org", + "action", + "created_at", + "@timestamp", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization" }, { "action": "org.oauth_app_access_blocked", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "url", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.oauth_app_access_denied", "description": "Access was disabled for an OAuth App that was previously approved.", "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization", + "fields": [ + "request_id", + "url", + "created_at", + "org_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "org", + "operation_type", + "actor", + "actor_id", + "oauth_application_name" + ], "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization" }, { "action": "org.oauth_app_access_requested", "description": "An organization member requested that an owner grant an OAuth App access to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "_document_id", + "request_id", + "url", + "org_id", + "action", + "@timestamp", + "org", + "request_access_security_header", + "oauth_application_name" + ] }, { "action": "org.oauth_app_access_unblocked", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "url", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "org.rate_limited_invites", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "org_id", + "action", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org" + ] }, { "action": "org.recovery_code_failed", "description": "An organization owner failed to sign into a organization with an external identity provider (IdP) using a recovery code.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "reason", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing your organization if your identity provider is unavailable" }, { "action": "org.recovery_code_used", "description": "An organization owner successfully signed into an organization with an external identity provider (IdP) using a recovery code.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Accessing your organization if your identity provider is unavailable" }, { "action": "org.recovery_codes_downloaded", "description": "An organization owner downloaded the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_generated", "description": "An organization owner generated the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_printed", "description": "An organization owner printed the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.recovery_codes_viewed", "description": "An organization owner viewed the organization's SSO recovery codes.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes" }, { "action": "org.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization", + "fields": [ + "actor", + "operation_type", + "@timestamp", + "_document_id", + "request_id", + "org", + "org_id", + "action", + "created_at", + "user_agent", + "actor_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "org.remove_actions_secret", "description": "A GitHub Actions secret was removed from an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.remove_actions_variable", "description": "A GitHub Actions variable was removed from an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "org.remove_billing_manager", "description": "A billing manager was removed from an organization, either manually or due to a two-factor authentication requirement.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "fields": [ + "user_id", + "user_agent", + "org_id", + "user", + "action", + "_document_id", + "operation_type", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "created_at" + ], "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization" }, { "action": "org.remove_disallowed_two_factor_method", "description": "Removed a two-factor authentication method restriction for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "two_factor_method", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "org.remove_integration_secret", "description": "A Codespaces or Dependabot secret was removed from an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.remove_member", "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "actor_id", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", + "created_at", + "user", + "operation_type", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.remove_outside_collaborator", "description": "An outside collaborator was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user", + "org_id", + "created_at", + "request_id", + "@timestamp", + "action", + "operation_type", + "user_agent", + "_document_id", + "actor", + "actor_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "org.remove_security_manager", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "team", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ] }, { "action": "org.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization", + "fields": [ + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor_id", + "org", + "created_at", + "actor", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "org.rename", "description": "An organization was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "@timestamp", + "org", + "action", + "actor", + "old_login", + "org_id", + "request_id", + "actor_id", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "org.required_workflow_create", "description": "Triggered when a required workflow is created.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.required_workflow_delete", "description": "Triggered when a required workflow is deleted.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.required_workflow_update", "description": "Triggered when a required workflow is updated.", "docs_reference_links": "/actions/using-workflows/required-workflows", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/actions/using-workflows/required-workflows" }, { "action": "org.restore_member", "description": "An organization member was restored.", "docs_reference_links": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization", + "fields": [ + "user", + "actor", + "user_id", + "_document_id", + "action", + "created_at", + "org_id", + "operation_type", + "request_id", + "@timestamp", + "user_agent", + "org", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization" }, { "action": "org.revoke_external_identity", "description": "A member's linked identity was revoked.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity", + "fields": [ + "actor", + "org", + "org_id", + "user", + "operation_type", + "user_id", + "@timestamp", + "action", + "actor_id", + "user_agent", + "_document_id", + "request_id", + "created_at" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.revoke_sso_session", "description": "A member's SAML session was revoked.", "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity", + "fields": [ + "actor_id", + "created_at", + "user", + "action", + "operation_type", + "@timestamp", + "org", + "org_id", + "user_agent", + "request_id", + "actor", + "user_id", + "_document_id" + ], "docs_reference_titles": "Viewing and managing a member's SAML access to your organization" }, { "action": "org.runner_group_created", "description": "A self-hosted runner group was created.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_removed", "description": "A self-hosted runner group was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_renamed", "description": "A self-hosted runner group was renamed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runner_removed", "description": "The REST API was used to remove a self-hosted runner from a group.", "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "runner_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization" }, { "action": "org.runner_group_runners_added", "description": "A self-hosted runner was added to a group.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_runners_updated", "description": "A runner group's list of members was updated.", "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "runner_group_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization" }, { "action": "org.runner_group_updated", "description": "The configuration of a self-hosted runner group was changed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "runner_group_name", + "runner_group_allow_public", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "runner_group_restricted_to_workflows", + "runner_group_selected_workflow_refs", + "programmatic_access_type", + "network_configuration_id", + "request_access_security_header" + ], "docs_reference_titles": "Managing access to self-hosted runners using groups" }, { "action": "org.runner_group_visiblity_updated", "description": "The visibility of a self-hosted runner group was updated via the REST API.", "docs_reference_links": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "runner_group_id", + "visibility", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ], "docs_reference_titles": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the organization level", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization" }, { "action": "org_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org.secret_scanning_custom_pattern_push_protection_enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in an organization.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "org_secret_scanning_generic_secrets.disabled", "description": "Generic secrets have been disabled at the organization level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "org_secret_scanning_generic_secrets.enabled", "description": "Generic secrets have been enabled at the organization level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "org_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the organization level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "org_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the organization level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_disabled", "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_enabled", "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_custom_message_updated", "description": "The custom message triggered by an attempted push to a push-protected repository was updated for an organization.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_disable", "description": "Push protection for secret scanning was disabled.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_enable", "description": "Push protection for secret scanning was enabled.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_disable", "description": "Push protection for secret scanning was disabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org.secret_scanning_push_protection_new_repos_enable", "description": "Push protection for secret scanning was enabled for all new repositories in the organization.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "token_scopes" + ], "docs_reference_titles": "About push protection" }, { "action": "org_secret_scanning_push_protection_pattern_configuration.updated", "description": "The push protection pattern configuration was updated for your org.", "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp" + ], "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise" }, { "action": "org.security_center_export_code_scanning_metrics", "description": "A CSV export was requested on the CodeQL pull request alerts page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "org.security_center_export_coverage", "description": "A CSV export was requested on the Coverage page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_overview_dashboard", "description": "A CSV export was requested on the Overview Dashboard page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_risk", "description": "A CSV export was requested on the Risk page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "org.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "org_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { "action": "org.set_custom_invitation_rate_limit", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "_document_id", + "org_id", + "operation_type", + "actor", + "actor_id", + "@timestamp", + "request_id", + "created_at", + "org", + "action" + ] }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "org.sso_response", "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "user_agent", + "actor", + "actor_id", + "org_id", + "@timestamp", + "org", + "issuer", + "business", + "operation_type", + "created_at", + "request_id", + "business_id", + "_document_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.transfer", "description": "An organization was transferred between enterprise accounts.", "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "from_business", + "to_business", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.transfer_outgoing", "description": "An organization was transferred between enterprise accounts.", "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "business", + "business_id", + "from_business", + "to_business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Adding organizations to your enterprise" }, { "action": "org.unarchive", "description": "The organization was unarchived.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.unblock_user", "description": "A user was unblocked from an organization.", "docs_reference_links": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization", + "fields": [ + "oauth_application_id", + "_document_id", + "blocked_user", + "action", + "operation_type", + "@timestamp", + "request_id", + "created_at", + "actor", + "actor_id", + "org", + "org_id", + "user_agent" + ], "docs_reference_titles": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization" }, { "action": "org.update_actions_secret", "description": "A GitHub Actions secret was updated for an organization.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "created_at", + "key", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "org.update_actions_settings", "description": "An organization owner or site administrator updated GitHub Actions policy settings for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "updated_allowed_types", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization" }, { "action": "org.update_actions_variable", "description": "A GitHub Actions variable was updated for an organization.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "org.update_default_repository_permission", "description": "The default repository permission level for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "operation_type", + "created_at", + "org", + "org_id", + "request_id", + "@timestamp", + "user_agent", + "permission", + "actor_id", + "old_permission", + "_document_id", + "programmatic_access_type" + ] }, { "action": "org.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "org.update_member", "description": "A person's role was changed from owner to member or member to owner.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "org_id", + "created_at", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "actor_id", + "old_permission", + "permission", + "actor", + "user_agent", + "operation_type", + "org" + ] }, { "action": "org.update_member_repository_creation_permission", "description": "The create repository permission for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "@timestamp", + "request_id", + "actor_id", + "permission", + "created_at", + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" + ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "org.update_new_repository_default_branch_setting", "description": "The name of the default branch was changed for new repositories in the organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization" }, { "action": "org.update_repo_self_hosted_runners_policy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_repo_runners_policy", + "new_repo_runners_policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "org.update_saml_provider_settings", "description": "An organization's SAML provider settings were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "sso_url", + "actor_id", + "operation_type", + "@timestamp", + "issuer", + "org", + "_document_id", + "actor", + "org_id", + "created_at", + "request_id", + "action" + ] }, { "action": "org.update_terms_of_service", "description": "An organization changed between the Standard Terms of Service and the GitHub Customer Agreement.", "docs_reference_links": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement", + "fields": [ + "request_id", + "org_id", + "actor", + "actor_id", + "user_agent", + "operation_type", + "_document_id", + "org", + "action", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement" }, { "action": "organization_default_label.create", "description": "A default label was created for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#creating-a-default-label", + "fields": [ + "request_id", + "actor_id", + "actor", + "org", + "org_id", + "operation_type", + "_document_id", + "action", + "created_at", + "@timestamp", + "user_agent", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#creating-a-default-label" }, { "action": "organization_default_label.destroy", "description": "A default label was deleted for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#deleting-a-default-label", + "fields": [ + "operation_type", + "request_id", + "actor", + "@timestamp", + "_document_id", + "actor_id", + "org_id", + "org", + "action", + "created_at", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#deleting-a-default-label" }, { "action": "organization_default_label.update", "description": "A default label was edited for repositories in an organization.", "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#editing-a-default-label", + "fields": [ + "org", + "created_at", + "@timestamp", + "actor", + "action", + "user_agent", + "actor_id", + "org_id", + "operation_type", + "request_id", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#editing-a-default-label" }, { "action": "organization_domain.approve", "description": "A domain was approved for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization" }, { "action": "organization_domain.create", "description": "A domain was added to an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "created_at", + "_document_id", + "domain_name", + "action", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "user_agent", + "actor" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "organization_domain.destroy", "description": "A domain was removed from an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain", + "fields": [ + "action", + "domain_name", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "created_at" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain" }, { "action": "organization_domain.verify", "description": "A domain was verified for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization", + "fields": [ + "operation_type", + "domain_name", + "@timestamp", + "user_agent", + "request_id", + "actor", + "action", + "created_at", + "_document_id", + "actor_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization" }, { "action": "organization_moderators.add_team", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "organization_moderators.add_user", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "organization_moderators.remove_team", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "organization_moderators.remove_user", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type" + ] }, { "action": "organization_projects_change.clear", "description": "An enterprise owner cleared the policy setting for organization-wide project boards in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "actor", + "business_id", + "@timestamp", + "actor_id", + "user", + "user_id", + "action", + "user_agent", + "_document_id", + "created_at", + "operation_type", + "request_id", + "business" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_projects_change.disable", "description": "Organization projects were disabled for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "org_id", + "action", + "user", + "org", + "created_at", + "user_agent", + "request_id", + "actor_id", + "operation_type", + "@timestamp", + "actor", + "user_id", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_projects_change.enable", "description": "Organization projects were enabled for all organizations in an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards", + "fields": [ + "actor_id", + "org_id", + "created_at", + "user_id", + "org", + "@timestamp", + "_document_id", + "user_agent", + "actor", + "request_id", + "user", + "action", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "organization_role.assign", "description": "An organization role was assigned to a user or team.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "organization_role_id", + "organization_role_name", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.create", "description": "A custom organization role was created in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.destroy", "description": "A custom organization role was deleted in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.revoke", "description": "A user or team was unassigned an organization role.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "organization_role_id", + "organization_role_name", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_role.update", "description": "A custom organization role was edited in an organization.", "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "name", + "owner", + "role_permissions", + "base_role", + "old_role_permissions", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "old_base_role" + ], "docs_reference_titles": "About custom organization roles" }, { "action": "organization_wide_project_base_role.update", "description": "An organization's default project base role was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_project_base_role", + "new_project_base_role", + "business", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "packages.package_deleted", "description": "An entire package was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_published", "description": "A package was published or republished to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "ecosystem", + "version_count", + "is_republished", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "packages.package_version_deleted", "description": "A specific package version was deleted.", "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package", + "fields": [ + "actor_id", + "actor", + "org", + "org_id", + "repo", + "repo_id", + "package", + "version", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "ecosystem", + "actor_is_bot" + ], "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package" }, { "action": "packages.package_version_published", "description": "A specific package version was published or republished to a package.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "ecosystem", + "package", + "version", + "actor_id", + "user_agent", + "is_republished", + "actor", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "payment_method.create", "description": "A new payment method was added, such as a new credit card or PayPal account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", + "_document_id", + "action", + "actor", + "actor_id", + "@timestamp", + "created_at", + "request_access_security_header" + ] }, { "action": "payment_method.remove", "description": "A payment method was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", + "operation_type", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "payment_method.update", "description": "An existing payment method was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", + "@timestamp", + "action", + "actor", + "org", + "user_agent", + "_document_id", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.access_restriction_disabled", "description": "The configured restriction for access to resources via personal access tokens was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_restriction_enabled", "description": "The configured restriction for access to resources via personal access tokens was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.auto_approve_grant_requests_disabled", "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "personal_access_token.auto_approve_grant_requests_enabled", "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "personal_access_token.expiration_limit_set", "description": "A personal access token expiration limit was set.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "token_expiration", + "old_token_expiration", + "exempt_administrators", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.expiration_limit_unset", "description": "A personal access token expiration limit was unset.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "programmatic_access_type", + "old_token_expiration", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "prebuild_configuration.create", "description": "A GitHub Codespaces prebuild configuration for a repository was created.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.destroy", "description": "A GitHub Codespaces prebuild configuration for a repository was deleted.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.run_triggered", "description": "A user initiated a run of a GitHub Codespaces prebuild configuration for a repository branch.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "prebuild_configuration.update", "description": "A GitHub Codespaces prebuild configuration for a repository was edited.", "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "branch", + "repository", + "repository_id", + "org", + "org_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ], "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds" }, { "action": "premium_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_repository_forking.clear", "description": "An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user_id", + "action", + "operation_type", + "@timestamp", + "business_id", + "actor_id", + "user", + "business", + "request_id", + "actor", + "created_at", + "_document_id" + ] }, { "action": "private_repository_forking.disable", "description": "An enterprise owner disabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are never allowed to be forked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "created_at", + "actor_id", + "_document_id", + "actor", + "user", + "repo", + "action", + "user_agent", + "@timestamp", + "org", + "operation_type", + "request_id", + "user_id", + "org_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "private_repository_forking.enable", "description": "An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_id", + "operation_type", + "_document_id", + "action", + "@timestamp", + "repo", + "org", + "business", + "user_agent", + "request_id", + "actor", + "repo_id", + "user", + "org_id", + "created_at", + "business_id" + ] }, { "action": "private_vulnerability_reporting.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { "action": "project.access", "description": "A project board visibility was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "user_agent", + "operation_type", + "user", + "created_at", + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" + ] }, { "action": "project_base_role.update", "description": "A project's base role was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_project_base_role", + "new_project_base_role", + "project_number", + "public_project", + "business", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { "action": "project_collaborator.add", "description": "A collaborator was added to a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "org", + "org_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "public_project", + "project_name", + "project_role", + "old_project_role", + "request_access_security_header" + ] }, { "action": "project_collaborator.remove", "description": "A collaborator was removed from a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project_collaborator.update", "description": "A project collaborator's permission level was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "public_project", + "project_name", + "collaborator_type", + "project_role", + "old_project_role", + "project_id", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project.create", "description": "A project board was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user", + "_document_id", + "request_id", + "user_id", + "user_agent", + "@timestamp", + "actor_id", + "action", + "created_at", + "actor" + ] }, { "action": "project.delete", "description": "A project board was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "actor_id", + "operation_type", + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" + ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { "action": "project.link", "description": "A repository was linked to a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "action", + "actor_id", + "org_id", + "user_agent", + "request_id", + "actor", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" + ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { "action": "project.rename", "description": "A project board was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", + "@timestamp", + "repo", + "_document_id", + "user_agent", + "org_id", + "business_id", + "actor", + "repo_id", + "org", + "business" + ] }, { "action": "project.unlink", "description": "A repository was unlinked from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "operation_type", + "actor", + "action", + "created_at", + "actor_id", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "org", + "org_id" + ] }, { "action": "project.update_org_permission", "description": "The project's base-level permission for all organization members was changed or removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" + ] }, { "action": "project.update_team_permission", "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org_id", + "operation_type", + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" + ] }, { "action": "project.update_user_permission", "description": "A user was added to or removed from a project board or had their permission level changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "operation_type", + "@timestamp", + "actor_id", + "user", + "user_agent", + "actor", + "created_at", + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" + ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project.visibility_private", "description": "A project's visibility was changed from public to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name" + ] }, { "action": "project.visibility_public", "description": "A project's visibility was changed from private to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name", + "request_access_security_header" + ] }, { "action": "protected_branch.authorized_users_teams", "description": "The users, teams, or integrations allowed to bypass a branch protection were changed.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches", + "fields": [ + "repo", + "action", + "org_id", + "user_agent", + "name", + "created_at", + "_document_id", + "operation_type", + "actor", + "repo_id", + "org", + "request_id", + "actor_id", + "oauth_application_id", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches" }, { "action": "protected_branch.branch_allowances", "description": "A protected branch allowance was given to a specific user, team or integration.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "name", + "authorized_actors", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "protected_branch.create", "description": "Branch protection was enabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "repo_id", + "user_id", + "@timestamp", + "user_agent", + "repo", + "name", + "org_id", + "user", + "_document_id", + "request_id", + "actor", + "actor_id", + "org", + "action", + "created_at", + "authorized_actor_names", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.destroy", "description": "Branch protection was disabled on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "repo", + "@timestamp", + "actor", + "org", + "actor_id", + "request_id", + "repo_id", + "org_id", + "operation_type", + "action", + "user_agent", + "created_at", + "_document_id", + "token_scopes", + "required_deployments_enforcement_level", + "merge_queue_enforcement_level", + "create_protected" + ] }, { "action": "protected_branch.dismiss_stale_reviews", "description": "Enforcement of dismissing stale pull requests was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "dismiss_stale_reviews_on_push", + "org_id", + "action", + "created_at", + "request_id", + "_document_id", + "@timestamp", + "actor_id", + "repo_id", + "operation_type", + "actor", + "repo", + "org", + "name", + "programmatic_access_type" + ] }, { "action": "protected_branch.dismissal_restricted_users_teams", "description": "Enforcement of restricting users and/or teams who can dismiss reviews was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "actor", + "oauth_application_id", + "authorized_actors_only", + "authorized_actors", + "created_at", + "user_agent", + "name", + "_document_id", + "org_id", + "request_id", + "@timestamp", + "actor_id", + "org", + "action", + "operation_type", + "programmatic_access_type" + ] }, { "action": "protected_branch.policy_override", "description": "A branch protection requirement was overridden by a repository administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "created_at", + "actor", + "reasons", + "@timestamp", + "before", + "after", + "actor_id", + "repo", + "operation_type", + "user_agent", + "branch", + "overridden_codes", + "org", + "org_id", + "action", + "_document_id", + "request_id", + "referrer", + "business", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "rule_suite_id" + ] }, { "action": "protected_branch.rejected_ref_update", "description": "A branch update attempt was rejected.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org", + "@timestamp", + "created_at", + "_document_id", + "business", + "org_id", + "operation_type", + "request_id", + "repo_id", + "actor", + "branch", + "before", + "overridden_codes", + "after", + "action", + "reasons", + "actor_id", + "business_id", + "deploy_key_fingerprint", + "token_scopes", + "programmatic_access_type", + "compliant_pull_request_ids", + "actor_is_bot", + "rule_suite_id" + ] }, { "action": "protected_branch.update_admin_enforced", "description": "Branch protection was enforced for repository administrators.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "admin_enforced", + "operation_type", + "user_agent", + "actor", + "org", + "name", + "repo", + "@timestamp", + "action", + "repo_id", + "org_id", + "_document_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_allow_deletions_enforcement_level", "description": "Branch deletion was enabled or disabled for a protected branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "operation_type", + "request_id", + "repo", + "@timestamp", + "org_id", + "org", + "action", + "allow_deletions_enforcement_level", + "_document_id", + "created_at", + "actor_id", + "user_agent", + "actor", + "repo_id", + "request_access_security_header" + ] }, { "action": "protected_branch.update_allow_force_pushes_enforcement_level", "description": "Force pushes were enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "actor_id", + "name", + "_document_id", + "actor", + "repo", + "operation_type", + "request_id", + "allow_force_pushes_enforcement_level", + "@timestamp", + "org", + "action", + "created_at", + "user_agent", + "repo_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_ignore_approvals_from_contributors", "description": "Ignoring of approvals from contributors to a pull request was enabled or disabled for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "ignore_approvals_from_contributors", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "protected_branch.update_linear_history_requirement_enforcement_level", "description": "Required linear commit history was enabled or disabled for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "operation_type", + "actor", + "linear_history_requirement_enforcement_level", + "repo", + "request_id", + "name", + "org_id", + "repo_id", + "org", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_lock_allows_fetch_and_merge", "description": "Fork syncing was enabled or disabled for a read-only branch", "docs_reference_links": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "lock_allows_fetch_and_merge", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_lock_branch_enforcement_level", "description": "The enforcement of a branch lock was updated.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "enforcement_level", + "lock_branch_enforcement_level", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch" }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { "action": "protected_branch.update_name", "description": "A branch name pattern was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "old_name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "protected_branch.update_pull_request_reviews_enforcement_level", "description": "Enforcement of required pull request reviews was updated for a branch. Can be 0 (deactivated), 1 (non-admins), or 2 (everyone).", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "org_id", + "_document_id", + "actor_id", + "@timestamp", + "business_id", + "request_id", + "pull_request_reviews_enforcement_level", + "org", + "repo", + "action", + "business", + "user_agent", + "created_at", + "repo_id", + "operation_type", + "actor", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_code_owner_review", "description": "Enforcement of required code owner review was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org_id", + "created_at", + "require_code_owner_review", + "operation_type", + "name", + "user_agent", + "action", + "@timestamp", + "actor", + "actor_id", + "repo", + "request_id", + "org", + "repo_id", + "_document_id", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_require_last_push_approval", "description": "Someone other than the person who pushed the last code-modifying commit to the branch must approve pull requests for the branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "require_last_push_approval", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging" }, { "action": "protected_branch.update_required_approving_review_count", "description": "Enforcement of the required number of approvals before merging was updated on a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "required_approving_review_count", + "repo", + "request_id", + "repo_id", + "created_at", + "actor", + "operation_type", + "user_agent", + "name", + "org_id", + "action", + "actor_id", + "_document_id", + "org", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_required_status_checks_enforcement_level", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "user_agent", + "@timestamp", + "_document_id", + "name", + "repo", + "action", + "business_id", + "repo_id", + "business", + "actor_id", + "operation_type", + "created_at", + "request_id", + "required_status_checks_enforcement_level", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_signature_requirement_enforcement_level", "description": "Enforcement of required commit signing was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "name", + "@timestamp", + "created_at", + "_document_id", + "request_id", + "repo_id", + "org", + "org_id", + "action", + "actor", + "actor_id", + "signature_requirement_enforcement_level", + "repo", + "user_agent", + "programmatic_access_type" + ] }, { "action": "protected_branch.update_strict_required_status_checks_policy", "description": "Enforcement of required status checks was updated for a branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "_document_id", + "org", + "@timestamp", + "created_at", + "repo_id", + "org_id", + "user_agent", + "name", + "actor", + "repo", + "operation_type", + "action", + "strict_required_status_checks_policy", + "programmatic_access_type" + ] }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verify", "description": "A user account's SSH key or a repository's deploy key was verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "pull_request.close", "description": "A pull request was closed without being merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request" }, { "action": "pull_request.converted_to_draft", "description": "A pull request was converted to a draft.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft" }, { "action": "pull_request.create", "description": "A pull request was created.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request" }, { "action": "pull_request.create_review_request", "description": "A review was requested on a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.in_progress", "description": "A pull request was marked as in progress.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "pull_request.indirect_merge", "description": "A pull request was considered merged because the pull request's commits were merged into the target branch.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request.merge", "description": "A pull request was merged.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request" }, { "action": "pull_request.ready_for_review", "description": "A pull request was marked as ready for review.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review" }, { "action": "pull_request.rebase", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "pull_request_url", + "pull_request_title", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request.remove_review_request", "description": "A review request was removed from a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "org_id", + "reviewer_type", + "reviewer", + "reviewer_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request.reopen", "description": "A pull request was reopened after previously being closed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.create", "description": "A review comment was added to a pull request.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "comment_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews" }, { "action": "pull_request_review_comment.delete", "description": "A review comment on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "actor", + "@timestamp", + "_document_id", + "repo", + "created_at", + "request_id", + "comment_id", + "actor_id", + "repo_id", + "action", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review_comment.update", "description": "A review comment on a pull request was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "request_id", + "actor_id", + "action", + "created_at", + "actor", + "_document_id", + "@timestamp", + "comment_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "pull_request_review.delete", "description": "A review on a pull request was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "pull_request_review.dismiss", "description": "A review on a pull request was dismissed.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "business_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review" }, { "action": "pull_request_review.submit", "description": "A review on a pull request was submitted.", "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "pull_request_id", + "review_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "pull_request_url", + "programmatic_access_type" + ], "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.change_merge_setting", "description": "Pull request merge options were changed for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", + "@timestamp", + "_document_id", + "actor_id", + "operation_type", + "action", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { "action": "repo.code_scanning_autofix_disabled", "description": "Autofix for code scanning alerts was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_enabled", "description": "Autofix for code scanning alerts was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_third_party_tools_disabled", "description": "Autofix for third party tools for code scanning alerts was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_autofix_third_party_tools_enabled", "description": "Autofix for third party tools for code scanning alerts was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { "action": "repo.code_scanning_delegated_alert_dismissal_disabled", "description": "Prevention of direct alert dismissal for code scanning was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "repo.code_scanning_delegated_alert_dismissal_enabled", "description": "Prevention of direct alert dismissal for code scanning was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "repo.codeql_disabled", "description": "Code scanning using the default setup was disabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_enabled", "description": "Code scanning using the default setup was enabled for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "query_suite", + "threat_model", + "languages", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codeql_updated", "description": "Code scanning using the default setup was updated for a repository.", "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "query_suite", + "threat_model", + "languages", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning" }, { "action": "repo.codespaces_trusted_repo_access_granted", "description": "GitHub Codespaces was granted trusted repository access to this repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "repo.codespaces_trusted_repo_access_revoked", "description": "GitHub Codespaces trusted repository access to this repository was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" }, { "action": "repo.create_actions_secret", "description": "A GitHub Actions secret was created for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { "action": "repo.download_zip", "description": "A source code archive of a repository was downloaded as a ZIP file.", "docs_reference_links": "/repositories/working-with-files/using-files/downloading-source-code-archives", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/working-with-files/using-files/downloading-source-code-archives" }, { "action": "repo.pages_cname", "description": "A GitHub Pages custom domain was modified in a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "@timestamp", + "visibility", + "repo", + "repo_id", + "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", + "created_at", + "_document_id", + "action", + "operation_type", + "old_cname", + "programmatic_access_type" + ] }, { "action": "repo.pages_create", "description": "A GitHub Pages site was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "_document_id", + "user_id", + "visibility", + "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", + "actor", + "repo", + "programmatic_access_type" + ] }, { "action": "repo.pages_destroy", "description": "A GitHub Pages site was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "user_id", + "action", + "request_id", + "user", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", + "visibility", + "operation_type", + "repo_id", + "programmatic_access_type" + ] }, { "action": "repo.pages_https_redirect_disabled", "description": "HTTPS redirects were disabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "actor_id", + "repo_id", + "_document_id", + "user_agent", + "actor", + "visibility", + "user_id", + "request_id", + "repo", + "@timestamp", + "operation_type", + "action", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_https_redirect_enabled", "description": "HTTPS redirects were enabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "user_id", + "created_at", + "visibility", + "actor", + "actor_id", + "user", + "operation_type", + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" + ] }, { "action": "repo.pages_private", "description": "A GitHub Pages site visibility was changed to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_public", "description": "A GitHub Pages site visibility was changed to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete", "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete_restore", "description": "A GitHub Pages site that was previously soft-deleted was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_source", "description": "A GitHub Pages source was modified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "repo_id", + "user", + "_document_id", + "request_id", + "visibility", + "repo", + "created_at", + "action", + "programmatic_access_type" + ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.remove_integration_secret", "description": "A Codespaces or Dependabot secret was deleted for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "repo.remove_topic", "description": "A topic was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", + "actor", + "business", + "request_id", + "repo", + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" + ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { "action": "repo.rename_branch", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "old_branch", + "new_branch", + "default_branch", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.restore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "action", + "_document_id", + "actor_id", + "user", + "operation_type", + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" + ] }, { "action": "repo.self_hosted_runner_offline", "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_online", "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "runner_id", + "runner_name", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp" + ], "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners" }, { "action": "repo.self_hosted_runner_updated", "description": "The runner application was updated. This event is not included in the JSON/CSV export.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners", + "fields": [ + "repo_id", + "runner_id", + "runner_name", + "source_version", + "target_version", + "runner_group_id", + "runner_group_name" + ], "docs_reference_titles": "About self-hosted runners" }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "repo.staff_unlock", "description": "An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "created_at", + "actor", + "repo_id", + "action", + "org", + "org_id", + "request_id", + "repo", + "operation_type" + ] }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { "action": "repo.transfer_outgoing", "description": "A repository was transferred to another repository network.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.transfer_start", "description": "A user sent a request to transfer a repository to another user or organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "operation_type", + "user_id", + "request_id", + "user", + "action", + "user_agent", + "created_at", + "actor", + "visibility", + "repo_id", + "actor_id", + "repo", + "request_access_security_header" + ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.update_actions_access_settings", "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "old_policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.update_actions_settings", "description": "A repository administrator changed GitHub Actions policy settings for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.update_default_branch", "description": "The default branch for a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.update_member", "description": "A user's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "_document_id", + "actor", + "repo_id", + "created_at", + "oauth_application_id", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", + "visibility", + "old_permission", + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_advisory.close", "description": "Someone closed a security advisory.", "docs_reference_links": "/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories", + "fields": [ + "actor", + "repo", + "@timestamp", + "business", + "business_id", + "user_agent", + "actor_id", + "request_id", + "action", + "operation_type", + "created_at", + "repo_id", + "_document_id", + "org", + "org_id", + "request_access_security_header" + ], "docs_reference_titles": "/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories" }, { "action": "repository_advisory.cve_request", "description": "Someone requested a CVE (Common Vulnerabilities and Exposures) number from GitHub for a draft security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "repo", + "org_id", + "actor", + "action", + "request_id", + "org", + "operation_type", + "@timestamp", + "user_agent", + "actor_id", + "_document_id", + "created_at" + ] }, { "action": "repository_advisory.github_broadcast", "description": "GitHub made a security advisory public in the GitHub Advisory Database.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ] }, { "action": "repository_advisory.github_withdraw", "description": "GitHub withdrew a security advisory that was published in error.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repository_advisory.open", "description": "Someone opened a draft security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "actor_id", + "actor", + "repo", + "created_at", + "_document_id", + "repo_id", + "action", + "@timestamp", + "request_id", + "request_access_security_header" + ] }, { "action": "repository_advisory.publish", "description": "Someone published a security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "actor_id", + "@timestamp", + "actor", + "repo_id", + "_document_id", + "repo", + "business_id", + "business", + "request_id", + "action", + "created_at", + "org_id", + "org" + ] }, { "action": "repository_advisory.reopen", "description": "Someone reopened as draft security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_agent", + "repo", + "action", + "created_at", + "@timestamp", + "request_id", + "actor_id", + "_document_id", + "actor", + "repo_id", + "public_repo" + ] }, { "action": "repository_advisory.update", "description": "Someone edited a draft or published security advisory.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "repo_id", + "org_id", + "business", + "actor", + "user_agent", + "created_at", + "_document_id", + "business_id", + "repo", + "action", + "operation_type", + "org", + "@timestamp", + "request_id" + ] }, { "action": "repository_branch_protection_evaluation.disable", "description": "Branch protections were disabled for the repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_branch_protection_evaluation.enable", "description": "Branch protections were enabled for this repository.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "org", + "org_id", + "business_id", + "user", + "user_id", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule" }, { "action": "repository_code_security.disable", "description": "Code security was disabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "repository_code_security.enable", "description": "Code security was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "repository_content_analysis.disable", "description": "Data use settings were disabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "user", + "repo_id", + "request_id", + "actor_id", + "created_at", + "user_agent", + "action", + "operation_type", + "actor", + "repo", + "user_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_content_analysis.enable", "description": "Data use settings were enabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "user", + "org", + "user_id", + "repo_id", + "@timestamp", + "request_id", + "actor", + "action", + "operation_type", + "created_at", + "actor_id", + "repo", + "user_agent", + "org_id", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_dependency_graph.disable", "description": "The dependency graph was disabled for a private repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-fea tures-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories", + "fields": [ + "repo_id", + "operation_type", + "user_id", + "repo", + "_document_id", + "actor", + "user", + "action", + "@timestamp", + "org_id", + "actor_id", + "org", + "created_at", + "user_agent", + "request_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-fea, tures-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories" }, { "action": "repository_dependency_graph.enable", "description": "The dependency graph was enabled for a private repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user", + "org", + "org_id", + "action", + "repo", + "user_id", + "created_at", + "user_agent", + "actor_id", + "repo_id", + "operation_type", + "actor", + "@timestamp", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_image.create", "description": "An image to represent a repository was uploaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", + "action", + "request_id", + "actor", + "content_type", + "repo", + "@timestamp", + "_document_id", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "repository_image.destroy", "description": "An image to represent a repository was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", + "_document_id", + "actor", + "repo_id", + "user_agent", + "repo", + "user", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "repository_invitation.accept", "description": "An invitation to join a repository was accepted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "created_at", + "request_id", + "repo", + "invitee", + "operation_type", + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.cancel", "description": "An invitation to join a repository was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "inviter", + "action", + "operation_type", + "_document_id", + "repo_id", + "repo", + "@timestamp", + "user_agent", + "invitee", + "created_at", + "request_id", + "actor", + "actor_id", + "request_access_security_header" + ] }, { "action": "repository_invitation.create", "description": "An invitation to join a repository was sent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", + "repo", + "created_at", + "user_agent", + "repo_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.reject", "description": "An invitation to join a repository was declined.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "_document_id", + "actor", + "invitee", + "action", + "@timestamp", + "request_id", + "actor_id", + "operation_type", + "created_at", + "inviter", + "user_agent", + "repo_id" + ] }, { "action": "repository_limit.reached", "description": "An organization has reached their repository limit.", "docs_reference_links": "repositories/creating-and-managing-repositories/repository-limits", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "limit", + "count", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "repositories/creating-and-managing-repositories/repository-limits" }, { "action": "repository_limit.warning", "description": "An organization is approaching their repository limit.", "docs_reference_links": "repositories/creating-and-managing-repositories/repository-limits", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "limit", + "count", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "repositories/creating-and-managing-repositories/repository-limits" }, { "action": "repository_projects_change.clear", "description": "The repository projects policy was removed for an organization, or all organizations in the enterprise Organization owners can now control their repository projects settings.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise", + "fields": [ + "request_id", + "created_at", + "_document_id", + "action", + "user_agent", + "user", + "business_id", + "business", + "operation_type", + "actor", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Enforcing policies for projects in your enterprise" }, { "action": "repository_projects_change.disable", "description": "Repository projects were disabled for a repository, all repositories in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "@timestamp", + "repo", + "action", + "operation_type", + "_document_id", + "actor_id", + "user", + "user_id", + "user_agent", + "repo_id", + "actor", + "request_id", + "programmatic_access_type" + ] }, { "action": "repository_projects_change.enable", "description": "Repository projects were enabled for a repository, all repositories in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "repo_id", + "org", + "request_id", + "user", + "user_agent", + "created_at", + "org_id", + "action", + "user_id", + "operation_type", + "_document_id", + "actor_id", + "repo" + ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { "action": "repository_secret_scanning_automatic_validity_checks.disabled", "description": "Automatic partner validation checks have been disabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_automatic_validity_checks.enabled", "description": "Automatic partner validation checks have been enabled at the repository level", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository" }, { "action": "repository_secret_scanning_custom_pattern.create", "description": "A custom pattern was created for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.delete", "description": "A custom pattern was removed from secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.publish", "description": "A custom pattern was published for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.disabled", "description": "Push protection for a custom pattern for secret scanning was disabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern_push_protection.enabled", "description": "Push protection for a custom pattern for secret scanning was enabled for your repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning_custom_pattern.update", "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in a repository.", "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "Defining custom patterns for secret scanning" }, { "action": "repository_secret_scanning.disable", "description": "Secret scanning was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "public_repo", + "programmatic_access_type" + ], "docs_reference_titles": "About secret scanning" }, { "action": "repository_secret_scanning.enable", "description": "Secret scanning was enabled for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "repository_secret_scanning_generic_secrets.disabled", "description": "Generic secrets have been disabled at the repository level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_secret_scanning_generic_secrets.enabled", "description": "Generic secrets have been enabled at the repository level", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "repository_secret_scanning_non_provider_patterns.disabled", "description": "Secret scanning for non-provider patterns was disabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_non_provider_patterns.enabled", "description": "Secret scanning for non-provider patterns was enabled at the repository level.", "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Supported secret scanning patterns" }, { "action": "repository_secret_scanning_push_protection_bypass_list.add", "description": "A role or team was added to the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.disable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.enable", "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection_bypass_list.remove", "description": "A role or team was removed from the push protection bypass list at the repository level.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.disable", "description": "Secret scanning push protection was disabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_secret_scanning_push_protection.enable", "description": "Secret scanning push protection was enabled for a repository.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "repository_security_configuration.applied", "description": "A code security configuration was applied to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.failed", "description": "A code security configuration failed to attach to the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.removed", "description": "A code security configuration was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_security_configuration.removed_by_settings_change", "description": "A code security configuration was removed due to a change in repository or enterprise settings.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "repository_security_configuration_state", + "repository_security_configuration_failure_reason", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_visibility_change.clear", "description": "The repository visibility change setting was cleared for an organization or enterprise.", "docs_reference_links": "/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-changes-to-repository-visibility", + "fields": [ + "created_at", + "_document_id", + "request_id", + "actor_id", + "business", + "action", + "operation_type", + "user", + "user_id", + "business_id", + "@timestamp", + "user_agent", + "actor", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization, Enforcing repository management policies in your enterprise" }, { "action": "repository_visibility_change.disable", "description": "The ability for enterprise members to update a repository's visibility was disabled. Members are unable to change repository visibilities in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "org_id", + "created_at", + "user_agent", + "actor", + "actor_id", + "org", + "operation_type", + "_document_id", + "@timestamp", + "user_id", + "action", + "request_id", + "request_access_security_header" + ] }, { "action": "repository_visibility_change.enable", "description": "The ability for enterprise members to update a repository's visibility was enabled. Members are able to change repository visibilities in an organization, or all organizations in an enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "operation_type", + "_document_id", + "@timestamp", + "user_agent", + "user", + "created_at", + "org", + "org_id", + "action", + "actor_id", + "user_id", + "request_id" + ] }, { "action": "repository_vulnerability_alert.auto_dismiss", "description": "A Dependabot alert was automatically dismissed because its metadata matches an enabled Dependabot rule.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "alert_id", + "alert_number", + "ghsa_id", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "request_access_security_header" + ], "docs_reference_titles": "About Dependabot auto-triage rules" }, { "action": "repository_vulnerability_alert.auto_reopen", "description": "A previously auto-dismissed Dependabot alert was automatically reopened because its metadata no longer matches an enabled Dependabot rule.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "alert_id", + "alert_number", + "ghsa_id", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "request_access_security_header" + ], "docs_reference_titles": "About Dependabot auto-triage rules" }, { "action": "repository_vulnerability_alert.create", "description": "GitHub created a Dependabot alert because the repository uses a vulnerable dependency.", "docs_reference_links": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts", + "fields": [ + "operation_type", + "request_id", + "repo_id", + "@timestamp", + "user_agent", + "alert_id", + "action", + "repo", + "created_at", + "_document_id", + "token_scopes", + "alert_number", + "programmatic_access_type" + ], "docs_reference_titles": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts" }, { "action": "repository_vulnerability_alert.dismiss", "description": "A Dependabot alert was manually dismissed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "org_id", + "user_id", + "request_id", + "@timestamp", + "operation_type", + "user_agent", + "alert_id", + "actor", + "repo", + "created_at", + "org", + "_document_id", + "action", + "actor_id", + "dismiss_reason", + "user", + "dismiss_comment", + "alert_number", + "actor_is_bot" + ] }, { "action": "repository_vulnerability_alert.reintroduce", "description": "A Dependabot alert was automatically reopened because the repository resumed use of a vulnerable dependency.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "alert_id", + "created_at", + "action", + "repo", + "repo_id", + "public_repo", + "owner", + "_document_id", + "@timestamp", + "operation_type", + "token_scopes", + "alert_number" + ] }, { "action": "repository_vulnerability_alert.reopen", "description": "A Dependabot alert was manually reopened.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "alert_id", + "created_at", + "action", + "repo", + "repo_id", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "operation_type", + "business", + "business_id", + "public_repo", + "alert_number", + "request_access_security_header" + ] }, { "action": "repository_vulnerability_alert.resolve", "description": "Changes were pushed to update and resolve a Dependabot alert in a project dependency.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "alert_id", + "repo", + "operation_type", + "action", + "repo_id", + "_document_id", + "user_agent", + "request_id", + "@timestamp", + "created_at", + "actor", + "actor_id", + "token_scopes", + "alert_number", + "programmatic_access_type" + ] }, { "action": "repository_vulnerability_alert.withdraw", "description": "A Dependabot alert was withdrawn.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "alert_id", + "alert_number", + "ghsa_id", + "created_at", + "active", + "action", + "repository_id", + "repo", + "repo_id", + "public_repo", + "owner", + "org", + "org_id", + "_document_id", + "@timestamp", + "operation_type" + ] }, { "action": "repository_vulnerability_alerts.authorized_users_teams", "description": "The list of people or teams authorized to receive Dependabot alerts for the repository was updated.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts", + "fields": [ + "org", + "_document_id", + "repo", + "org_id", + "operation_type", + "created_at", + "actor", + "action", + "@timestamp", + "user_agent", + "repo_id", + "request_id", + "actor_id", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts" }, { "action": "repository_vulnerability_alerts_auto_dismissal.disable", "description": "Automatic dismissal of low-impact Dependabot alerts was disabled for the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repository_vulnerability_alerts_auto_dismissal.enable", "description": "Automatic dismissal of low-impact Dependabot alerts was enabled for the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "repository_vulnerability_alerts.disable", "description": "Dependabot alerts was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "request_id", + "repo_id", + "action", + "actor_id", + "@timestamp", + "created_at", + "actor", + "user_agent", + "org_id", + "user", + "org", + "_document_id", + "user_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_vulnerability_alerts.enable", "description": "Dependabot alerts was enabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_agent", + "created_at", + "@timestamp", + "repo_id", + "action", + "user", + "repo", + "org", + "org_id", + "actor_id", + "_document_id", + "user_id", + "operation_type", + "request_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "required_status_check.create", "description": "A status check was marked as required for a protected branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "fields": [ + "org", + "actor_id", + "@timestamp", + "business", + "request_id", + "context", + "repo_id", + "action", + "repo", + "_document_id", + "operation_type", + "business_id", + "org_id", + "actor", + "created_at", + "user_agent", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging" }, { "action": "required_status_check.destroy", "description": "A status check was no longer marked as required for a protected branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging", + "fields": [ + "actor_id", + "actor", + "created_at", + "context", + "operation_type", + "@timestamp", + "request_id", + "org", + "user_agent", + "repo_id", + "org_id", + "action", + "_document_id", + "repo", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging" }, { "action": "restrict_notification_delivery.disable", "description": "Email notification restrictions for an organization or enterprise were disabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "restrict_notification_delivery.enable", "description": "Email notification restrictions for an organization or enterprise were enabled.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "business_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise" }, { "action": "role.create", "description": "A new custom repository role was created.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "owner", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "role_permissions", + "old_role_permissions" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "role.destroy", "description": "A custom repository role was deleted.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "role.update", "description": "A custom repository role was edited.", "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "owner", + "role_permissions", + "base_role", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "old_role_permissions", + "old_base_role" + ], "docs_reference_titles": "Managing custom repository roles for an organization" }, { "action": "secret_scanning_alert.create", "description": "GitHub detected a secret and created a secret scanning alert.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning_alert.public_leak", "description": "A secret scanning alert was leaked in a public repo.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "created_at" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning_alert.reopen", "description": "A secret scanning alert was reopened.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type_display_name" + ] }, { "action": "secret_scanning_alert.report", "description": "A leaked secret was reported to the secret's provider by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "secret_type", + "created_at", + "secret_type_display_name", + "secret_type_provider", + "report_result" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts" }, { "action": "secret_scanning_alert.resolve", "description": "A secret scanning alert was resolved.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "resolution", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_access_security_header" + ] }, { "action": "secret_scanning_alert.revoke", "description": "A secret scanning alert was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "number", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "secret_scanning_alert.validate", "description": "A secret scanning alert was validated.", "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "previous_validity", + "current_validity", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo" + ], "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning" }, { "action": "secret_scanning_closure_request.approve", "description": "A request to close a secret scanning alert was approved by a user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "request_reviewer_comment", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "secret_scanning_closure_request.cancel", "description": "N/A", "docs_reference_links": "A reqeust to close a secret scanning alert was canceled by a user.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "A, reqeust, to, close, a, secret, scanning, alert, was, canceled, by, a, user." }, { "action": "secret_scanning_closure_request.create", "description": "N/A", "docs_reference_links": "A user requested to close a secret scanning alert.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "reason", + "comment", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "A, user, requested, to, close, a, secret, scanning, alert." }, { "action": "secret_scanning_closure_request.deny", "description": "A request to close a secret scanning alert was denied by a user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "alert_number", + "request_reviewer_comment", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "secret_scanning.disable", "description": "Secret scanning was disabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning.enable", "description": "Secret scanning was enabled for all existing repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.disable", "description": "Secret scanning was disabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_new_repos.enable", "description": "Secret scanning was enabled for all new repositories.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "About secret scanning" }, { "action": "secret_scanning_push_protection.bypass", "description": "Triggered when a user bypasses the push protection on a secret detected by secret scanning.", "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#bypassing-push-protection-for-a-secret", + "fields": [ + "repo_id", + "repo", + "actor_id", + "actor", + "org_id", + "org", + "business", + "business_id", + "number", + "created_at", + "push_protection_bypass_reason", + "secret_type", + "secret_type_display_name", + "publicly_leaked", + "multi_repo", + "request_reviewer", + "request_reviewer_id" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.approve", "description": "A request to bypass secret scanning push protection was approved by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.cancel", "description": "A user canceled a request to bypass secret scanning push protection.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "secret_scanning_push_protection_request.complete", "description": "A user pushed a commit containing a secret for which there is an approved secret scanning push protection bypass request.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "secret_scanning_push_protection_request.deny", "description": "A request to bypass secret scanning push protection was denied by a user.", "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header", + "request_reviewer_comment" + ], "docs_reference_titles": "About push protection" }, { "action": "secret_scanning_push_protection_request.request", "description": "A user requested to bypass secret scanning push protection.", "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "number", + "repository", + "repository_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Working with secret scanning and push protection" }, { "action": "secret_scanning_scan.completed", "description": "A secret scanning scan has completed on this repository.", "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning", + "fields": [ + "repo_id", + "org_id", + "business_id", + "source", + "type", + "source_slug", + "type_slug", + "started_at", + "completed_at", + "repo", + "public_repo", + "org", + "business", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "secret_types", + "custom_pattern_name", + "custom_pattern_scope" + ], "docs_reference_titles": "About secret scanning" }, { "action": "security_configuration.create", "description": "A security configuration was created", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "security_configuration_default.delete", "description": "A default security configuration setting for new repositories was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "security_configuration_default.update", "description": "A default security configuration setting for new repositories was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "default_for_new_private_repos", + "default_for_new_public_repos", + "security_configuration_name", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "security_configuration.delete", "description": "A security configuration was deleted", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "security_configuration_policy.update", "description": "A security configuration policy was updated", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "enforcement", + "security_configuration_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "security_configuration.update", "description": "A security configuration was updated", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "security_configuration_id", + "security_configuration_name", + "security_configuration_description", + "security_configuration_created_at", + "security_configuration_updated_at", + "security_configuration_enable_ghas", + "security_configuration_private_vulnerability_reporting", + "security_configuration_dependency_graph", + "security_configuration_dependabot_alerts", + "security_configuration_dependabot_security_updates", + "security_configuration_code_scanning", + "security_configuration_secret_scanning", + "security_configuration_secret_scanning_push_protection", + "security_configuration_secret_scanning_validity_checks", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "security_configuration_dependency_graph_autosubmit_action", + "security_configuration_secret_scanning_non_provider_patterns", + "security_configuration_secret_scanning_delegated_bypass", + "security_configuration_secret_scanning_generic_secrets", + "security_configuration_secret_scanning_delegated_alert_dismissal", + "security_configuration_code_scanning_delegated_alert_dismissal", + "security_configuration_code_security_sku_enabled", + "security_configuration_secret_protection_sku_enabled" + ] }, { "action": "sponsors.agreement_sign", "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.fiscal_host_change", "description": "The fiscal host for a GitHub Sponsors listing was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.invoiced_agreement_sign", "description": "An agreement for invoiced billing for GitHub Sponsors was signed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/paying-for-github-sponsors-by-invoice", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/paying-for-github-sponsors-by-invoice" }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_disable", "description": "A GitHub Sponsors account was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { "action": "sponsors.sponsored_developer_redraft", "description": "A GitHub Sponsors account was returned to draft state from approved state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id", + "actor", + "actor_id", + "user_id" + ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { "action": "sponsors.update_tier_repository", "description": "A GitHub Sponsors tier changed access for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.update_tier_welcome_message", "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.withdraw_agreement_signature", "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "ssh_certificate_authority.create", "description": "An SSH certificate authority for an organization or enterprise was created.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "@timestamp", + "_document_id", + "fingerprint", + "operation_type", + "openssh_public_key", + "org_id", + "actor", + "created_at", + "org", + "action", + "user_agent", + "actor_id", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_authority.destroy", "description": "An SSH certificate authority for an organization or enterprise was deleted.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "created_at", + "_document_id", + "fingerprint", + "operation_type", + "actor", + "org_id", + "openssh_public_key", + "org", + "action", + "user_agent", + "actor_id", + "@timestamp", + "request_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.disable", "description": "The requirement for members to use SSH certificates to access an organization resources was disabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "user", + "user_agent", + "operation_type", + "_document_id", + "request_id", + "org", + "org_id", + "created_at", + "actor", + "action", + "user_id", + "business", + "business_id", + "@timestamp", + "actor_id" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "ssh_certificate_requirement.enable", "description": "The requirement for members to use SSH certificates to access an organization resources was enabled.", "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise", + "fields": [ + "actor_id", + "user_id", + "org", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user", + "action", + "org_id", + "created_at", + "user_agent" + ], "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise" }, { "action": "staff.dependabot_debug_credentials_generated", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "staff.set_domain_token_expiration", "description": "The verification code expiry time for an organization or enterprise domain was set.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner_type", + "domain_name", + "business_id", + "token_expires_at", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "staff.unverify_domain", "description": "An organization or enterprise domain was unverified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "owner_type", + "domain_name", + "owner", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "staff.verify_domain", "description": "An organization or enterprise domain was verified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "domain_name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "team.add_member", "description": "A member of an organization was added to a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team", + "fields": [ + "user_agent", + "request_id", + "org_id", + "user_id", + "team", + "user", + "@timestamp", + "actor_id", + "created_at", + "operation_type", + "_document_id", + "org", + "action", + "actor", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team" }, { "action": "team.add_repository", "description": "A team was given access and permissions to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "team", + "action", + "operation_type", + "request_id", + "created_at", + "@timestamp", + "org", + "repo", + "actor_id", + "_document_id", + "repo_id", + "user_agent", + "org_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "team.change_parent_team", "description": "A child team was created or a child team's parent was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy", + "fields": [ + "org", + "@timestamp", + "created_at", + "_document_id", + "team", + "action", + "operation_type", + "actor", + "request_id", + "actor_id", + "user_agent", + "org_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy" }, { "action": "team.change_privacy", "description": "A team's privacy level was changed.", "docs_reference_links": "/organizations/organizing-members-into-teams/changing-team-visibility", + "fields": [ + "user_agent", + "request_id", + "org", + "action", + "team", + "created_at", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "actor", + "_document_id" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility" }, { "action": "team.create", "description": "A new team is created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "oauth_application_id", + "action", + "operation_type", + "@timestamp", + "org_id", + "user_agent", + "team", + "org", + "actor", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "team.demote_maintainer", "description": "A user was demoted from a team maintainer to a team member.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member" }, { "action": "team.destroy", "description": "A team was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org", + "team", + "org_id", + "actor_id", + "actor", + "action", + "@timestamp", + "user_agent", + "request_id", + "operation_type", + "_document_id", + "programmatic_access_type" + ] }, { "action": "team_discussions.clear", "description": "An organization owner cleared the setting to allow team discussions for an organization or enterprise.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "business_id", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "actor_id", + "user", + "business", + "action", + "request_id", + "created_at", + "user_id", + "_document_id" + ] }, { "action": "team_discussions.disable", "description": "Team discussions were disabled for an organization.", "docs_reference_links": "/organizations/organizing-members-into-teams/disabling-team-discussions-for-your-organization", + "fields": [ + "org_id", + "action", + "operation_type", + "request_id", + "actor", + "org", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "_document_id" + ], "docs_reference_titles": "Organizations and teams documentation" }, { "action": "team_discussions.enable", "description": "Team discussions were enabled for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "@timestamp", + "action", + "_document_id", + "user_agent", + "user_id", + "business_id", + "request_id", + "user", + "business", + "operation_type", + "actor", + "created_at" + ] }, { "action": "team_group_mapping.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "actor", + "action", + "operation_type", + "team", + "@timestamp", + "actor_id", + "org", + "_document_id", + "org_id", + "user_agent", + "request_id", + "request_access_security_header" + ] }, { "action": "team_group_mapping.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "@timestamp", + "actor_id", + "_document_id", + "team", + "created_at", + "org_id", + "action", + "request_id", + "user_agent", + "actor", + "org", + "request_access_security_header" + ] }, { "action": "team_group_mapping.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "team.promote_maintainer", "description": "A user was promoted from a team member to a team maintainer.", "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "team", + "org", + "org_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer" }, { "action": "team.remove_member", "description": "An organization member was removed from a team.", "docs_reference_links": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team", + "fields": [ + "request_id", + "operation_type", + "created_at", + "actor_id", + "org", + "org_id", + "team", + "user_id", + "actor", + "user", + "action", + "@timestamp", + "user_agent", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team" }, { "action": "team.remove_repository", "description": "A repository was removed from a team's control.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "org_id", + "repo", + "repo_id", + "action", + "_document_id", + "actor", + "@timestamp", + "actor_id", + "user_agent", + "created_at", + "team", + "org", + "operation_type", + "programmatic_access_type" + ] }, { "action": "team.rename", "description": "A team's name was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "name", + "user_agent", + "created_at", + "team", + "operation_type", + "actor_id", + "org", + "action", + "request_id", + "actor", + "org_id", + "@timestamp", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "team_sync_tenant.disabled", "description": "Team synchronization with a tenant was disabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "action", + "created_at", + "actor", + "request_id", + "org_id", + "actor_id", + "operation_type", + "_document_id", + "@timestamp", + "org", + "user_agent" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team_sync_tenant.enabled", "description": "Team synchronization with a tenant was enabled.", "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise", + "fields": [ + "org_id", + "business_id", + "actor", + "created_at", + "user_agent", + "@timestamp", + "operation_type", + "business", + "actor_id", + "org", + "request_id", + "action", + "_document_id" + ], "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise" }, { "action": "team_sync_tenant.update_okta_credentials", "description": "The Okta credentials for team synchronization with a tenant were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "team.update_repository_permission", "description": "A team's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "team", + "org_id", + "@timestamp", + "org", + "_document_id", + "old_permission", + "request_id", + "repo", + "action", + "repo_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "permission", + "new_repo_permission", + "new_repo_base_role", + "old_repo_permission", + "old_repo_base_role", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "vulnerability_alert_rule.create", "description": "A Dependabot rule was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "vulnerability_alert_rule.delete", "description": "A Dependabot rule was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "vulnerability_alert_rule.disable", "description": "A Dependabot rule was disabled for a single repository or disabled by default for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "vulnerability_alert_rule.enable", "description": "A Dependabot rule was enabled for a single repository or enabled by default for an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "vulnerability_alert_rule.force_disable", "description": "A Dependabot rule was enabled for an organization and cannot be disabled for its repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "vulnerability_alert_rule.force_enable", "description": "A Dependabot rule was disabled for an organization and cannot be enabled for its repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "org", + "org_id", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "vulnerability_alert_rule.update", "description": "A Dependabot rule's conditions, actions, or metadata changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "vulnerability_alert_rule_id", + "vulnerability_alert_rule_name", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.bypass_protection_rules", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "workflows.cancel_workflow_run", "description": "A workflow run was cancelled.", "docs_reference_links": "/actions/managing-workflow-runs/canceling-a-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "cancelled_at", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Canceling a workflow" }, { "action": "workflows.comment_workflow_job", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.completed_workflow_run", "description": "A workflow status changed to completed. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "completed_at", + "conclusion", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Viewing workflow run history" }, { "action": "workflows.created_workflow_run", "description": "A workflow run was create. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/learn-github-actions/understanding-github-actions#create-an-example-workflow", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Understanding GitHub Actions" }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { "action": "workflows.disable_workflow", "description": "A workflow was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.enable_workflow", "description": "A workflow was enabled, after previously being disabled by disable_workflow.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "workflows.pin_workflow", "description": "A workflow was pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.prepared_workflow_job", "description": "A workflow job was started. Includes the list of secrets that were provided to the job. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.", "docs_reference_links": "/actions/using-workflows/events-that-trigger-workflows", + "fields": [ + "repo_id", + "repo", + "org_id", + "org", + "business_id", + "business", + "workflow_run_id", + "job_name", + "runner_labels", + "is_hosted_runner", + "environment_name", + "secrets_passed", + "action", + "_document_id", + "operation_type", + "created_at", + "@timestamp", + "runner_owner_type", + "job_workflow_ref", + "calling_workflow_refs", + "calling_workflow_shas", + "imposer_repo" + ], "docs_reference_titles": "Events that trigger workflows" }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.rerun_workflow_run", "description": "A workflow run was re-run.", "docs_reference_links": "/actions/managing-workflow-runs/re-running-workflows-and-jobs", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "started_at", + "event", + "name", + "workflow_run_id", + "head_branch", + "head_sha", + "run_number", + "workflow_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "business", + "business_id", + "trigger_id", + "run_attempt", + "rerun_type", + "check_run_id", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "Re-running workflows and jobs" }, { "action": "workflows.unpin_workflow", "description": "A workflow was unpinned after previously being pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] } ] \ No newline at end of file diff --git a/src/audit-logs/data/ghes-3.18/user.json b/src/audit-logs/data/ghes-3.18/user.json index 999c42ce6c32..1fd12e5753ec 100644 --- a/src/audit-logs/data/ghes-3.18/user.json +++ b/src/audit-logs/data/ghes-3.18/user.json @@ -2,2144 +2,8573 @@ { "action": "account.billing_date_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "@timestamp", + "operation_type", + "user_agent", + "_document_id", + "created_at", + "action", + "request_id", + "actor", + "actor_id", + "org_id" + ] }, { "action": "account.plan_change", "description": "The account's plan changed.", "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans", + "fields": [ + "actor", + "operation_type", + "_document_id", + "user_agent", + "created_at", + "actor_id", + "request_id", + "@timestamp", + "user", + "action", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans" }, { "action": "account_recovery_token.confirm", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "token_id", + "user_id", + "user", + "actor", + "operation_type" + ] }, { "action": "account_recovery_token.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "token_id", + "user", + "request_id", + "_document_id", + "user_agent", + "actor", + "user_id", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "account_recovery_token.recover", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "actor", + "user_agent", + "request_id", + "action", + "_document_id", + "user_id", + "token_id" + ] }, { "action": "actions_cache.delete", "description": "A GitHub Actions cache was deleted using the REST API.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "user_id", + "user", + "repo_id", + "repo", + "org", + "org_id", + "actions_cache_id", + "actions_cache_key", + "actions_cache_version", + "actions_cache_scope", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "artifact.destroy", "description": "A workflow run artifact was manually deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_agent", + "actor_id", + "repo", + "repo_id", + "request_id", + "@timestamp", + "created_at", + "_document_id", + "operation_type", + "programmatic_access_type" + ] }, { "action": "billing.change_billing_type", "description": "The way the account pays for GitHub was changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method", + "fields": [ + "actor_id", + "user", + "@timestamp", + "actor", + "user_id", + "action", + "created_at", + "operation_type", + "_document_id", + "user_agent", + "request_id" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.change_email", "description": "The billing email address changed.", "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email", + "fields": [ + "actor", + "operation_type", + "actor_id", + "org_id", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "_document_id", + "org", + "email", + "action", + "request_access_security_header" + ], "docs_reference_titles": "Managing your payment and billing information" }, { "action": "billing.lock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "@timestamp", + "actor_id", + "operation_type", + "_document_id", + "request_id", + "actor", + "user", + "user_id", + "user_agent", + "created_at", + "action" + ] }, { "action": "billing.unlock", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "operation_type", + "user_agent", + "created_at", + "user_id", + "request_id", + "actor", + "action", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "billing.update_bill_cycle_day", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "business.security_center_export_code_scanning_metrics", "description": "A CSV export was requested on the \"CodeQL pull request alerts\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.security_center_export_coverage", "description": "A CSV export was requested on the \"Coverage\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.security_center_export_overview_dashboard", "description": "A CSV export was requested on the \"Overview Dashboard\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "business.security_center_export_risk", "description": "A CSV export was requested on the \"Risk\" page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "business_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "business.set_actions_fork_pr_approvals_policy", "description": "The policy for requiring approvals for workflows from public forks was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "policy", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "limit", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_fork_pr_workflows_policy", "description": "The policy for fork pull request workflows was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "policy", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "business.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.", "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise" }, { "action": "checks.auto_trigger_disabled", "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "visibility", + "user_agent", + "user", + "@timestamp", + "repo", + "actor_id", + "user_id", + "action", + "created_at", + "actor", + "operation_type", + "request_id", + "repo_id", + "_document_id" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.auto_trigger_enabled", "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.", "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo" + ], "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites" }, { "action": "checks.delete_logs", "description": "Logs in a check suite were deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "actor", + "actor_id", + "operation_type", + "repo_id", + "action", + "created_at", + "_document_id", + "user_agent", + "request_id", + "repo", + "programmatic_access_type" + ] }, { "action": "codespaces.allow_permissions", "description": "A codespace using custom permissions from its devcontainer.json file was launched.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "origin_repository", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.connect", "description": "Credentials for a codespace were refreshed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "user_id", + "org_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ] }, { "action": "codespaces.create", "description": "A codespace was created", "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "machine_type", + "devcontainer_path" + ], "docs_reference_titles": "Creating a codespace for a repository" }, { "action": "codespaces.destroy", "description": "A user deleted a codespace.", "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repository_id", + "repository", + "pull_request_id", + "owner", + "name", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a codespace" }, { "action": "codespaces.export_environment", "description": "A codespace was exported to a branch on GitHub.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "owner", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo" + ] }, { "action": "codespaces.restore", "description": "A codespace was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "codespaces.start_environment", "description": "A codespace was started.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "org", + "owner", + "pull_request_id", + "machine_type", + "user_id", + "user", + "devcontainer_path", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "codespaces.suspend_environment", "description": "A codespace was stopped.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "codespaces.trusted_repositories_access_update", "description": "A personal account's access and security setting for Codespaces were updated.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "business", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "copilot.cfb_seat_added", "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_created", "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.", "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "What is GitHub Copilot?" }, { "action": "copilot.cfb_seat_assignment_refreshed", "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "token_id", + "token_scopes", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_assignment_reused", "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.cfb_seat_assignment_unassigned", "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "seat_assignment", + "request_access_security_header" + ] }, { "action": "copilot.cfb_seat_cancelled_by_staff", "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_id", + "user", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.swe_agent_repo_disabled", "description": "Specific repositories were disabled from using Copilot coding agent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org_id", + "owner_type", + "actor_id", + "owner", + "repo", + "repo_id", + "public_repo", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "copilot.swe_agent_repo_enabled", "description": "Specific repositories were enabled to use Copilot coding agent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "org_id", + "owner_type", + "owner", + "repo", + "repo_id", + "public_repo", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "copilot.swe_agent_repo_enablement_updated", "description": "Copilot coding agent access was updated for the organization's or user's repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "request_access_security_header", + "new_access", + "old_access", + "org_id", + "owner_type", + "owner", + "org", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "custom_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "dependabot_alerts.disable", "description": "Dependabot alerts were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts.enable", "description": "Dependabot alerts were enabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories" }, { "action": "dependabot_alerts_new_repos.disable", "description": "Dependabot alerts were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_alerts_new_repos.enable", "description": "Dependabot alerts were enabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added" }, { "action": "dependabot_repository_access.repositories_updated", "description": "The repositories that Dependabot can access were updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependabot_security_updates.disable", "description": "Dependabot security updates were disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates.enable", "description": "Dependabot security updates were enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependabot_security_updates_new_repos.disable", "description": " Dependabot security updates were disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependabot_security_updates_new_repos.enable", "description": "Dependabot security updates were enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "dependency_graph.disable", "description": "The dependency graph was disabled for all existing repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph.enable", "description": "The dependency graph was enabled for all existing repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ] }, { "action": "dependency_graph_new_repos.disable", "description": "The dependency graph was disabled for all new repositories.", "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization" }, { "action": "dependency_graph_new_repos.enable", "description": "The dependency graph was enabled for all new repositories.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "environment.add_protection_rule", "description": "A GitHub Actions deployment protection rule was created via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "environment.create_actions_secret", "description": "A secret was created for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.create_actions_variable", "description": "A variable was created for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.delete", "description": "An environment was deleted.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_secret", "description": "A secret was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "public_repo", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.remove_actions_variable", "description": "A variable was deleted for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.remove_protection_rule", "description": "A GitHub Actions deployment protection rule was deleted via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_secret", "description": "A secret was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "environment.update_actions_variable", "description": "A variable was updated for a GitHub Actions environment.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "environment_name", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "environment.update_protection_rule", "description": "A GitHub Actions deployment protection rule was updated via the API.", "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "@timestamp", + "_document_id", + "new_value", + "approvers_was", + "approvers", + "programmatic_access_type", + "can_admins_bypass", + "prevent_self_review" + ], "docs_reference_titles": "Managing environments for deployment" }, { "action": "gist.create", "description": "A gist was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "user", + "gist_id", + "@timestamp", + "created_at", + "operation_type", + "user_agent", + "actor", + "actor_id", + "visibility", + "action", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "gist.destroy", "description": "A gist was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "gist_id", + "visibility", + "created_at", + "_document_id", + "user", + "request_id", + "operation_type", + "actor", + "actor_id", + "action", + "user_agent", + "@timestamp", + "programmatic_access_type" + ] }, { "action": "gist.visibility_change", "description": "The visibility of a gist was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "operation_type", + "@timestamp", + "user_agent", + "actor", + "user", + "gist_id", + "actor_id", + "request_id", + "visibility", + "user_id", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "git_signing_ssh_public_key.create", "description": "An SSH key was added to a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "git_signing_ssh_public_key.delete", "description": "An SSH key was removed from a user account as a Git commit signing key.", "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "user_id", + "explanation", + "user", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key" }, { "action": "github_hosted_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "github_hosted_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot" + ] }, { "action": "github_hosted_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "runner_group_id", + "business", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "gpg_key.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "created_at", + "user_id", + "@timestamp", + "user", + "operation_type", + "_document_id", + "actor", + "action", + "user_agent", + "request_access_security_header" + ] }, { "action": "gpg_key.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor", + "actor_id", + "user", + "action", + "created_at", + "_document_id", + "user_agent", + "@timestamp", + "request_access_security_header" + ] }, { "action": "hook.active_changed", "description": "A hook's active status was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "name", + "events", + "active", + "active_was", + "hook_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "programmatic_access_type" + ] }, { "action": "hook.config_changed", "description": "A hook's configuration was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "name", + "org", + "user_agent", + "request_id", + "hook_id", + "repo", + "repo_id", + "created_at", + "oauth_application_id", + "action", + "events", + "org_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.create", "description": "A new hook was added.", "docs_reference_links": "/get-started/exploring-integrations/about-webhooks", + "fields": [ + "oauth_application", + "_document_id", + "user_agent", + "actor", + "actor_id", + "oauth_application_id", + "repo_id", + "request_id", + "hook_id", + "events", + "repo", + "@timestamp", + "operation_type", + "name", + "action", + "created_at", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "About webhooks" }, { "action": "hook.destroy", "description": "A hook was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "created_at", + "org", + "name", + "request_id", + "actor_id", + "repo_id", + "org_id", + "action", + "operation_type", + "oauth_application_id", + "user_agent", + "hook_id", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "hook.events_changed", "description": "A hook's configured events were changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "events", + "repo", + "operation_type", + "action", + "_document_id", + "actor_id", + "name", + "events_were", + "@timestamp", + "created_at", + "hook_id", + "repo_id", + "org_id", + "org", + "user_agent", + "request_id", + "oauth_application_id", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "integration.create", "description": "A GitHub App was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "@timestamp", + "actor", + "user_agent", + "actor_id", + "request_id", + "name", + "user_id", + "_document_id", + "integration", + "created_at", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration.destroy", "description": "A GitHub App was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "actor_id", + "request_id", + "@timestamp", + "name", + "integration", + "user", + "_document_id", + "action", + "operation_type", + "created_at", + "user_agent" + ] }, { "action": "integration.generate_client_secret", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header", + "application_client_id" + ] }, { "action": "integration_installation.create", "description": "A GitHub App was installed.", "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps", + "fields": [ + "operation_type", + "@timestamp", + "name", + "request_id", + "repository_selection", + "user_id", + "action", + "user_agent", + "user", + "created_at", + "integration", + "_document_id", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps" }, { "action": "integration_installation.destroy", "description": "A GitHub App was uninstalled.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "@timestamp", + "request_id", + "actor", + "created_at", + "_document_id", + "repository_selection", + "integration", + "user_id", + "user", + "action", + "operation_type", + "name", + "actor_id", + "user_agent", + "programmatic_access_type", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.repositories_added", "description": "Repositories were added to a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user_id", + "repository_selection", + "name", + "user", + "request_id", + "integration", + "operation_type", + "actor_id", + "action", + "repositories_added", + "created_at", + "_document_id", + "@timestamp", + "actor", + "user_agent", + "token_scopes", + "repositories_added_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.repositories_removed", "description": "Repositories were removed from a GitHub App.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access", + "fields": [ + "user", + "operation_type", + "user_agent", + "actor", + "repository_selection", + "repositories_removed", + "integration", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "name", + "action", + "actor_id", + "repositories_removed_names", + "programmatic_access_type", + "actor_is_bot", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access" }, { "action": "integration_installation.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access", + "fields": [ + "user_agent", + "request_id", + "name", + "repository_selection", + "actor_id", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access" }, { "action": "integration_installation.version_updated", "description": "Permissions for a GitHub App were updated.", "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app", + "fields": [ + "integration", + "user_id", + "user_agent", + "name", + "user", + "operation_type", + "actor_id", + "action", + "_document_id", + "request_id", + "created_at", + "repository_selection", + "@timestamp", + "actor", + "application_client_id" + ], "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app" }, { "action": "integration.manager_added", "description": "A member of an enterprise or organization was added as a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization", + "fields": [ + "created_at", + "action", + "_document_id", + "name", + "org_id", + "manager", + "operation_type", + "actor", + "integration", + "org", + "@timestamp", + "actor_id", + "request_id", + "user_agent" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization" }, { "action": "integration.manager_removed", "description": "A member of an enterprise or organization was removed from being a GitHub App manager.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization", + "fields": [ + "user_agent", + "request_id", + "actor_id", + "org", + "operation_type", + "integration", + "org_id", + "_document_id", + "action", + "actor", + "name", + "created_at", + "manager", + "@timestamp" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization" }, { "action": "integration.remove_client_secret", "description": "A client secret for a GitHub App was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "integration.revoke_all_tokens", "description": "All user tokens for a GitHub App were requested to be revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.revoke_tokens", "description": "Token(s) for a GitHub App were revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "integration", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "application_client_id" + ] }, { "action": "integration.suspend", "description": "A GitHub App was suspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "integration.transfer", "description": "Ownership of a GitHub App was transferred to another user or organization.", "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app", + "fields": [ + "@timestamp", + "user_id", + "name", + "transfer_to_id", + "user", + "requester", + "action", + "requester_id", + "actor_id", + "created_at", + "_document_id", + "user_agent", + "transfer_to", + "operation_type", + "request_id", + "actor", + "integration", + "transfer_from", + "transfer_from_id", + "transfer_from_type", + "transfer_to_type" + ], "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app" }, { "action": "integration.unsuspend", "description": "A GitHub App was unsuspended.", "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "application_client_id" + ], "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation" }, { "action": "marketplace_agreement_signature.create", "description": "The GitHub Marketplace Developer Agreement was signed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "actor_id", + "@timestamp", + "_document_id", + "user_agent", + "operation_type", + "created_at", + "action", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "marketplace_listing.approve", "description": "A listing was approved for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "secondary_category", + "actor", + "primary_category", + "user", + "@timestamp", + "_document_id", + "user_id", + "user_agent", + "operation_type", + "created_at", + "request_id", + "actor_id", + "marketplace_listing", + "integration", + "action" + ] }, { "action": "marketplace_listing.change_category", "description": "A category for a listing for an app in GitHub Marketplace was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "user_agent", + "request_id", + "actor", + "marketplace_listing", + "@timestamp", + "integration", + "org_id", + "action", + "org", + "secondary_category", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ] }, { "action": "marketplace_listing.create", "description": "A listing for an app in GitHub Marketplace was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "primary_category", + "_document_id", + "user", + "created_at", + "user_agent", + "oauth_application", + "action", + "request_id", + "marketplace_listing", + "user_id", + "secondary_category", + "oauth_application_id", + "actor", + "actor_id", + "operation_type", + "@timestamp" + ] }, { "action": "marketplace_listing.delist", "description": "A listing was removed from GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "actor", + "actor_id", + "user_agent", + "request_id", + "org_id", + "created_at", + "secondary_category", + "operation_type", + "marketplace_listing", + "action", + "@timestamp", + "_document_id", + "primary_category", + "integration" + ] }, { "action": "marketplace_listing_plan.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "actor", + "action", + "operation_type", + "marketplace_listing", + "has_free_trial", + "user_agent", + "request_id", + "actor_id", + "yearly_price_in_cents", + "description", + "bullets", + "monthly_price_in_cents", + "marketplace_listing_plan", + "_document_id" + ] }, { "action": "marketplace_listing_plan.publish", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "marketplace_listing_plan", + "marketplace_listing", + "description", + "bullets", + "has_free_trial", + "created_at", + "actor_id", + "operation_type", + "_document_id", + "action", + "user_agent", + "request_id", + "actor", + "monthly_price_in_cents", + "yearly_price_in_cents", + "@timestamp" + ] }, { "action": "marketplace_listing_plan.retire", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "marketplace_listing_plan", + "_document_id", + "request_id", + "description", + "yearly_price_in_cents", + "@timestamp", + "created_at", + "actor_id", + "bullets", + "has_free_trial", + "marketplace_listing", + "user_agent", + "monthly_price_in_cents", + "action", + "operation_type" + ] }, { "action": "marketplace_listing_plan.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "monthly_price_in_cents", + "marketplace_listing", + "_document_id", + "action", + "description", + "bullets", + "yearly_price_in_cents", + "request_id", + "actor_id", + "has_free_trial", + "marketplace_listing_plan", + "user_agent", + "@timestamp", + "operation_type", + "actor", + "created_at" + ] }, { "action": "marketplace_listing.redraft", "description": "A listing was sent back to draft state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "secondary_category", + "oauth_application_id", + "@timestamp", + "action", + "user_agent", + "user_id", + "operation_type", + "oauth_application", + "actor", + "created_at", + "marketplace_listing", + "request_id", + "actor_id", + "primary_category", + "user" + ] }, { "action": "marketplace_listing.reject", "description": "A listing was not accepted for inclusion in GitHub Marketplace.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "primary_category", + "secondary_category", + "marketplace_listing", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "merge_queue.pull_request_dequeued", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "merge_queue.pull_request_queue_jump", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.queue_cleared", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "merge_queue.update_settings", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "max_entries_to_build", + "min_entries_to_merge", + "repo_id", + "public_repo", + "repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "metered_billing_configuration.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "@timestamp", + "_document_id", + "user_id", + "action", + "operation_type", + "created_at", + "request_access_security_header" + ] }, { "action": "metered_billing_configuration.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id" + ] }, { "action": "metered_billing_configuration.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "org", + "created_at", + "operation_type", + "org_id", + "@timestamp", + "_document_id", + "user_agent", + "request_id", + "actor", + "request_access_security_header" + ] }, { "action": "migration.create", "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "org_id", + "_document_id", + "org", + "repo_id", + "action", + "actor", + "created_at", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "actor_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "oauth_access.create", "description": "An OAuth access token was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, /authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token", + "fields": [ + "_document_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "user", + "user_id", + "created_at", + "action", + "actor_id", + "request_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, Managing your personal access tokens" }, { "action": "oauth_access.destroy", "description": "An OAuth access token was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps", + "fields": [ + "@timestamp", + "user_agent", + "action", + "operation_type", + "_document_id", + "actor", + "created_at", + "user", + "user_id", + "request_id", + "explanation", + "hashed_token", + "actor_id", + "token_scopes", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_access.regenerate", "description": "An OAuth access token was regenerated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "_document_id", + "created_at", + "@timestamp", + "operation_type", + "action", + "user_agent", + "request_id", + "actor", + "actor_id", + "token_scopes", + "programmatic_access_type", + "oauth_application_name" + ] }, { "action": "oauth_access.revoke", "description": "An OAuth access token was revoked.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "request_access_security_header", + "hashed_token", + "token_id", + "token_scopes", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "oauth_access.update", "description": "An OAuth access token was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "created_at", + "action", + "@timestamp", + "user", + "user_agent", + "request_access_security_header" + ] }, { "action": "oauth_application.create", "description": "An OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "org", + "created_at", + "oauth_application_id", + "operation_type", + "user_agent", + "actor_id", + "org_id", + "action", + "actor", + "oauth_application", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.destroy", "description": "An OAuth application was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "created_at", + "oauth_application_id", + "user_id", + "operation_type", + "@timestamp", + "user_agent", + "oauth_application", + "_document_id", + "actor", + "actor_id", + "request_id", + "action", + "user", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.generate_client_secret", "description": "An OAuth application's secret key was generated.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.remove_client_secret", "description": "An OAuth application's secret key was deleted.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.reset_secret", "description": "The secret key for an OAuth application was reset.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user", + "user_id", + "action", + "oauth_application", + "operation_type", + "request_id", + "actor_id", + "_document_id", + "created_at", + "actor", + "oauth_application_id", + "@timestamp", + "user_agent" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_all_tokens", "description": "All user tokens for an OAuth application were requested to be revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application", + "oauth_application_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.revoke_tokens", "description": "Token(s) for an OAuth application were revoked.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "oauth_application_id", + "oauth_application", + "actor_id", + "user_agent", + "@timestamp", + "request_id", + "user_id", + "action", + "_document_id", + "actor", + "user", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_application.transfer", "description": "An OAuth application was transferred from one account to another.", "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "oauth_application", + "actor_id", + "oauth_application_id", + "@timestamp", + "user_id", + "_document_id", + "request_id", + "user", + "action" + ], "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app" }, { "action": "oauth_authorization.create", "description": "An authorization for an OAuth application was created.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "operation_type", + "user_agent", + "user_id", + "actor", + "org_id", + "_document_id", + "request_id", + "action", + "@timestamp", + "created_at", + "actor_id", + "user", + "business", + "business_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "oauth_authorization.destroy", "description": "An authorization for an OAuth application was deleted.", "docs_reference_links": "/apps/using-github-apps/reviewing-your-authorized-integrations", + "fields": [ + "user_agent", + "_document_id", + "request_id", + "operation_type", + "@timestamp", + "actor", + "created_at", + "explanation", + "user", + "user_id", + "org_id", + "action", + "actor_id", + "token_scopes", + "actor_is_bot", + "oauth_application_name" + ], "docs_reference_titles": "Reviewing and revoking authorization of GitHub Apps" }, { "action": "oauth_authorization.update", "description": "An authorization for an OAuth application was updated.", "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps", + "fields": [ + "org_id", + "request_id", + "user_id", + "actor", + "actor_id", + "user_agent", + "@timestamp", + "operation_type", + "action", + "user", + "created_at", + "_document_id", + "actor_is_bot", + "request_access_security_header", + "oauth_application_name" + ], "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps" }, { "action": "org.add_member", "description": "A user joined an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "permission", + "_document_id", + "org", + "operation_type", + "request_id", + "actor", + "user", + "@timestamp", + "created_at", + "user_agent", + "org_id", + "user_id", + "actor_id", + "action", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "org.add_outside_collaborator", "description": "An outside collaborator was added to a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "inviter", + "org", + "org_id", + "repo", + "repo_id", + "public_repo", + "permission", + "invitee", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "org.advanced_security_disabled_for_new_repos", "description": "GitHub Advanced Security was disabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_disabled_on_all_repos", "description": "GitHub Advanced Security was disabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_for_new_repos", "description": "GitHub Advanced Security was enabled for new repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes" + ] }, { "action": "org.advanced_security_enabled_on_all_repos", "description": "GitHub Advanced Security was enabled for all repositories in an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "org", + "org_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes" + ] }, { "action": "org.remove_member", "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "request_id", + "actor_id", + "user_agent", + "actor", + "action", + "user_id", + "@timestamp", + "created_at", + "user", + "operation_type", + "org_id", + "org", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "org.security_center_export_code_scanning_metrics", "description": "A CSV export was requested on the CodeQL pull request alerts page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot" + ] }, { "action": "org.security_center_export_coverage", "description": "A CSV export was requested on the Coverage page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_overview_dashboard", "description": "A CSV export was requested on the Overview Dashboard page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "start_date", + "end_date", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.security_center_export_risk", "description": "A CSV export was requested on the Risk page.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "user", + "user_id", + "query", + "filename", + "requested_at", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "org.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks" }, { "action": "org.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "policy", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.", "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "limit", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization" }, { "action": "org.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization" }, { "action": "org.set_fork_pr_workflows_policy", "description": "The policy for workflows on private repository forks was changed.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "policy", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks" }, { "action": "org.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.", "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "org.update_member", "description": "A person's role was changed from owner to member or member to owner.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "org_id", + "created_at", + "_document_id", + "user", + "user_id", + "action", + "request_id", + "actor_id", + "old_permission", + "permission", + "actor", + "user_agent", + "operation_type", + "org" + ] }, { "action": "org.update_member_repository_creation_permission", "description": "The create repository permission for organization members was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "action", + "@timestamp", + "request_id", + "actor_id", + "permission", + "created_at", + "user_agent", + "org", + "org_id", + "_document_id", + "visibility", + "operation_type" + ] }, { "action": "org.update_member_repository_invitation_permission", "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.", "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "fields": [ + "actor_id", + "permission", + "action", + "org_id", + "actor", + "created_at", + "_document_id", + "business_id", + "operation_type", + "org", + "user_agent", + "request_id", + "business", + "@timestamp" + ], "docs_reference_titles": "Setting permissions for adding outside collaborators" }, { "action": "pages_protected_domain.create", "description": "A GitHub Pages verified domain was created for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.delete", "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "pages_protected_domain.verify", "description": "A GitHub Pages domain was verified for an organization or enterprise.", "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "owner", + "owner_type", + "domain", + "state", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages" }, { "action": "passkey.register", "description": "A new passkey was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "passkey.remove", "description": "A new passkey was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "nickname", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "payment_method.create", "description": "A new payment method was added, such as a new credit card or PayPal account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user", + "operation_type", + "user_id", + "_document_id", + "action", + "actor", + "actor_id", + "@timestamp", + "created_at", + "request_access_security_header" + ] }, { "action": "payment_method.remove", "description": "A payment method was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "actor_id", + "@timestamp", + "user_id", + "action", + "operation_type", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "payment_method.update", "description": "An existing payment method was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "request_id", + "org_id", + "created_at", + "actor_id", + "@timestamp", + "action", + "actor", + "org", + "user_agent", + "_document_id", + "request_access_security_header" + ] }, { "action": "personal_access_token.access_granted", "description": "A fine-grained personal access token was granted access to resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.access_revoked", "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "repository_selection", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.create", "description": "Triggered when you create a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "personal_access_token.credential_regenerated", "description": "Triggered when you regenerate a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.credential_revoked", "description": "A fine-grained personal access token was revoked by GitHub Advanced Security.", "docs_reference_links": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users", + "fields": [ + "user_programmatic_access_name", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users" }, { "action": "personal_access_token.destroy", "description": "Triggered when you delete a fine-grained personal access token.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "explanation", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "personal_access_token.request_cancelled", "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ] }, { "action": "personal_access_token.request_created", "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.request_denied", "description": "A request for a fine-grained personal access token to access organization resources was denied.", "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user_programmatic_access_name", + "org", + "org_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "user_programmatic_access_request_id" + ], "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization" }, { "action": "personal_access_token.update", "description": "A fine-grained personal access token was updated.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user_programmatic_access_name", + "user", + "user_id", + "repository_selection", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens" }, { "action": "premium_runner.create", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "premium_runner.update", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "name", + "runner_group_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.disable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "private_vulnerability_reporting_new_repos.enable", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "profile_picture.update", "description": "A profile picture was updated.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile", + "fields": [ + "user", + "actor_id", + "user_id", + "@timestamp", + "created_at", + "owner", + "action", + "_document_id", + "request_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile" }, { "action": "project.access", "description": "A project board visibility was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "actor", + "user_agent", + "operation_type", + "user", + "created_at", + "user_id", + "action", + "request_id", + "_document_id", + "@timestamp" + ] }, { "action": "project.close", "description": "A project board was closed.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board", + "fields": [ + "org_id", + "user_agent", + "request_id", + "operation_type", + "@timestamp", + "created_at", + "repo_id", + "org", + "_document_id", + "project_id", + "action", + "actor", + "actor_id", + "repo", + "project_kind" + ], "docs_reference_titles": "Closing a project (classic)" }, { "action": "project_collaborator.add", "description": "A collaborator was added to a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "org", + "org_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "public_project", + "project_name", + "project_role", + "old_project_role", + "request_access_security_header" + ] }, { "action": "project_collaborator.remove", "description": "A collaborator was removed from a project.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "collaborator_type", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project_collaborator.update", "description": "A project collaborator's permission level was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "public_project", + "project_name", + "collaborator_type", + "project_role", + "old_project_role", + "project_id", + "user", + "user_id", + "collaborator", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "project.create", "description": "A project board was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user", + "_document_id", + "request_id", + "user_id", + "user_agent", + "@timestamp", + "actor_id", + "action", + "created_at", + "actor" + ] }, { "action": "project.delete", "description": "A project board was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "actor_id", + "operation_type", + "actor", + "user_id", + "@timestamp", + "created_at", + "_document_id", + "user_agent", + "user" + ] }, { "action": "project_field.create", "description": "A field was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields" }, { "action": "project_field.delete", "description": "A field was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields" }, { "action": "project.link", "description": "A repository was linked to a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo_id", + "action", + "actor_id", + "org_id", + "user_agent", + "request_id", + "actor", + "operation_type", + "@timestamp", + "_document_id", + "created_at", + "org", + "repo" + ] }, { "action": "project.open", "description": "A project board was reopened.", "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board", + "fields": [ + "actor", + "request_id", + "actor_id", + "action", + "user_id", + "project_id", + "_document_id", + "user_agent", + "operation_type", + "user", + "@timestamp", + "created_at", + "project_kind", + "project_name" + ], "docs_reference_titles": "Reopening a closed project (classic)" }, { "action": "project.rename", "description": "A project board was renamed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "created_at", + "request_id", + "actor_id", + "old_name", + "operation_type", + "@timestamp", + "repo", + "_document_id", + "user_agent", + "org_id", + "business_id", + "actor", + "repo_id", + "org", + "business" + ] }, { "action": "project.unlink", "description": "A repository was unlinked from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "repo_id", + "operation_type", + "actor", + "action", + "created_at", + "actor_id", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "org", + "org_id" + ] }, { "action": "project.update_org_permission", "description": "The project's base-level permission for all organization members was changed or removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "org", + "@timestamp", + "_document_id", + "operation_type", + "created_at", + "request_id", + "actor_id", + "action", + "org_id", + "user_agent" + ] }, { "action": "project.update_team_permission", "description": "A team's project board permission level was changed or when a team was added or removed from a project board.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "org_id", + "operation_type", + "org", + "actor_id", + "_document_id", + "request_id", + "team", + "@timestamp", + "action", + "user_agent", + "actor" + ] }, { "action": "project.update_user_permission", "description": "A user was added to or removed from a project board or had their permission level changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user_id", + "operation_type", + "@timestamp", + "actor_id", + "user", + "user_agent", + "actor", + "created_at", + "org", + "_document_id", + "org_id", + "action", + "programmatic_access_type" + ] }, { "action": "project_view.create", "description": "A view was created in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project_view.delete", "description": "A view was deleted in a project board.", "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views" }, { "action": "project.visibility_private", "description": "A project's visibility was changed from public to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name" + ] }, { "action": "project.visibility_public", "description": "A project's visibility was changed from private to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "project_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "project_kind", + "project_name", + "request_access_security_header" + ] }, { "action": "protected_branch.update_merge_queue_enforcement_level", "description": "Enforcement of the merge queue was modified for a branch.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "merge_queue_enforcement_level", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue" }, { "action": "public_key.create", "description": "An SSH key was added to a user account or a deploy key was added to a repository.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account", + "fields": [ + "read_only", + "user_agent", + "actor_id", + "operation_type", + "created_at", + "_document_id", + "key", + "fingerprint", + "actor", + "action", + "user", + "user_id", + "@timestamp", + "request_id", + "title", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account" }, { "action": "public_key.delete", "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys", + "fields": [ + "fingerprint", + "user_agent", + "read_only", + "explanation", + "repo", + "@timestamp", + "action", + "key", + "operation_type", + "_document_id", + "actor", + "title", + "request_id", + "actor_id", + "repo_id", + "created_at", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys" }, { "action": "public_key.unverification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "user_agent", + "request_id", + "title", + "key", + "fingerprint", + "read_only", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "token_scopes" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.unverify", "description": "A user account's SSH key or a repository's deploy key was unverified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "created_at", + "operation_type", + "_document_id", + "title", + "request_id", + "key", + "action", + "actor", + "read_only", + "explanation", + "repo_id", + "@timestamp", + "actor_id", + "repo", + "user_agent", + "fingerprint" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.update", "description": "A user account's SSH key or a repository's deploy key was updated.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "actor", + "user_agent", + "key", + "fingerprint", + "read_only", + "repo_id", + "operation_type", + "created_at", + "actor_id", + "repo", + "action", + "_document_id", + "request_id", + "title", + "@timestamp", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verification_failure", "description": "A user account's SSH key or a repository's deploy key was unable to be verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "repo_id", + "actor", + "key", + "fingerprint", + "@timestamp", + "request_id", + "actor_id", + "oauth_application_id", + "title", + "action", + "user_agent", + "created_at", + "repo", + "read_only", + "operation_type", + "_document_id", + "user", + "user_id", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "public_key.verify", "description": "A user account's SSH key or a repository's deploy key was verified.", "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys", + "fields": [ + "operation_type", + "user", + "@timestamp", + "_document_id", + "action", + "created_at", + "key", + "fingerprint", + "actor_id", + "actor", + "title", + "user_agent", + "user_id", + "request_id", + "read_only", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys" }, { "action": "repo.access", "description": "The visibility of a repository changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility", + "fields": [ + "repo_id", + "user", + "request_id", + "operation_type", + "@timestamp", + "actor_id", + "user_id", + "created_at", + "user_agent", + "actor", + "action", + "repo", + "visibility", + "_document_id", + "previous_visibility", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility" }, { "action": "repo.actions_enabled", "description": "GitHub Actions was enabled for a repository.", "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api" }, { "action": "repo.add_member", "description": "A collaborator was added to a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository", + "fields": [ + "visibility", + "repo", + "created_at", + "user_agent", + "operation_type", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "repo_id", + "user", + "request_id", + "action", + "user_id", + "oauth_application_id", + "org", + "org_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository" }, { "action": "repo.add_topic", "description": "A topic was added to a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics", + "fields": [ + "action", + "user_agent", + "actor", + "repo", + "repo_id", + "user", + "org", + "org_id", + "request_id", + "actor_id", + "topic", + "@timestamp", + "_document_id", + "user_id", + "created_at", + "operation_type", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics" }, { "action": "repo.advanced_security_disabled", "description": "GitHub Advanced Security was disabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.advanced_security_enabled", "description": "GitHub Advanced Security was enabled for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "repository", + "repository_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository" }, { "action": "repo.archived", "description": "A repository was archived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "repo_id", + "user_agent", + "user_id", + "created_at", + "@timestamp", + "repo", + "user", + "operation_type", + "visibility", + "action", + "actor_id", + "actor", + "_document_id", + "request_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.change_merge_setting", "description": "Pull request merge options were changed for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "oauth_application_id", + "user_agent", + "request_id", + "created_at", + "@timestamp", + "_document_id", + "actor_id", + "operation_type", + "action", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.code_scanning_analysis_deleted", "description": "Code scanning analysis for a repository was deleted.", "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "tool", + "category", + "request_access_security_header" + ], "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository" }, { "action": "repo.code_scanning_configuration_for_branch_deleted", "description": "A code scanning configuration for a branch of a repository was deleted.", "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "tool", + "branch", + "category", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Resolving code scanning alerts" }, { "action": "repo.config.disable_collaborators_only", "description": "The interaction limit for collaborators only was disabled.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "actor", + "actor_id", + "repo_id", + "_document_id", + "action", + "created_at", + "repo", + "operation_type", + "@timestamp", + "request_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_contributors_only", "description": "The interaction limit for prior contributors only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "repo", + "@timestamp", + "request_id", + "actor", + "_document_id", + "user_agent", + "actor_id", + "repo_id", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.disable_sockpuppet_disallowed", "description": "The interaction limit for existing users only was disabled in a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "request_id", + "repo_id", + "action", + "user_agent", + "_document_id", + "@timestamp", + "created_at", + "actor_id", + "repo", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_collaborators_only", "description": "The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "oauth_application_id", + "created_at", + "action", + "request_id", + "repo_id", + "repo", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_contributors_only", "description": "The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "operation_type", + "created_at", + "actor", + "org", + "action", + "actor_id", + "repo", + "repo_id", + "org_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.config.enable_sockpuppet_disallowed", "description": "The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.", "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository", + "fields": [ + "actor", + "operation_type", + "created_at", + "user_agent", + "request_id", + "action", + "actor_id", + "repo", + "repo_id", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository" }, { "action": "repo.configure_self_hosted_jit_runner", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "oauth_application_id", + "token_id", + "token_scopes", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.create", "description": "A repository was created.", "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository", + "fields": [ + "repo", + "user_id", + "visibility", + "repo_id", + "user", + "request_id", + "actor_id", + "action", + "operation_type", + "request_category", + "@timestamp", + "created_at", + "_document_id", + "actor", + "user_agent", + "org", + "oauth_application_id", + "org_id", + "request_method", + "business", + "business_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository" }, { "action": "repo.create_actions_secret", "description": "A GitHub Actions secret was created for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.create_actions_variable", "description": "A GitHub Actions variable was created for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.create_integration_secret", "description": "A Codespaces or Dependabot secret was created for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.destroy", "description": "A repository was deleted.", "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository", + "fields": [ + "repo", + "_document_id", + "user_agent", + "user_id", + "actor", + "action", + "user", + "repo_id", + "operation_type", + "request_category", + "actor_id", + "visibility", + "request_id", + "created_at", + "@timestamp", + "request_method", + "oauth_application_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository" }, { "action": "repo.pages_cname", "description": "A GitHub Pages custom domain was modified in a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "@timestamp", + "visibility", + "repo", + "repo_id", + "user", + "request_id", + "actor_id", + "cname", + "user_agent", + "user_id", + "created_at", + "_document_id", + "action", + "operation_type", + "old_cname", + "programmatic_access_type" + ] }, { "action": "repo.pages_create", "description": "A GitHub Pages site was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "_document_id", + "user_id", + "visibility", + "action", + "user_agent", + "operation_type", + "repo_id", + "created_at", + "@timestamp", + "request_id", + "actor", + "repo", + "programmatic_access_type" + ] }, { "action": "repo.pages_destroy", "description": "A GitHub Pages site was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "user_id", + "action", + "request_id", + "user", + "repo", + "user_agent", + "_document_id", + "actor_id", + "@timestamp", + "actor", + "visibility", + "operation_type", + "repo_id", + "programmatic_access_type" + ] }, { "action": "repo.pages_https_redirect_disabled", "description": "HTTPS redirects were disabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "actor_id", + "repo_id", + "_document_id", + "user_agent", + "actor", + "visibility", + "user_id", + "request_id", + "repo", + "@timestamp", + "operation_type", + "action", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_https_redirect_enabled", "description": "HTTPS redirects were enabled for a GitHub Pages site.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "user_id", + "created_at", + "visibility", + "actor", + "actor_id", + "user", + "operation_type", + "repo_id", + "action", + "repo", + "_document_id", + "request_access_security_header" + ] }, { "action": "repo.pages_private", "description": "A GitHub Pages site visibility was changed to private.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "repo.pages_public", "description": "A GitHub Pages site visibility was changed to public.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete", "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_soft_delete_restore", "description": "A GitHub Pages site that was previously soft-deleted was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "repo.pages_source", "description": "A GitHub Pages source was modified.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor_id", + "operation_type", + "user_agent", + "actor", + "@timestamp", + "repo_id", + "user", + "_document_id", + "request_id", + "visibility", + "repo", + "created_at", + "action", + "programmatic_access_type" + ] }, { "action": "repo.register_self_hosted_runner", "description": "A new self-hosted runner was registered.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository", + "fields": [ + "actor_id", + "repo", + "operation_type", + "action", + "@timestamp", + "actor", + "user_agent", + "created_at", + "_document_id", + "request_id", + "repo_id", + "request_access_security_header" + ], "docs_reference_titles": "Adding self-hosted runners" }, { "action": "repo.remove_actions_secret", "description": "A GitHub Actions secret was deleted for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.remove_actions_variable", "description": "A GitHub Actions variable was deleted for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.remove_integration_secret", "description": "A Codespaces or Dependabot secret was deleted for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.remove_member", "description": "A collaborator was removed from a repository.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository", + "fields": [ + "request_id", + "user", + "business", + "action", + "actor_id", + "org", + "org_id", + "actor", + "created_at", + "repo_id", + "user_agent", + "business_id", + "user_id", + "operation_type", + "@timestamp", + "_document_id", + "visibility", + "repo", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository" }, { "action": "repo.remove_self_hosted_runner", "description": "A self-hosted runner was removed.", "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository", + "fields": [ + "request_id", + "actor_id", + "repo_id", + "@timestamp", + "_document_id", + "repo", + "org_id", + "action", + "operation_type", + "user_agent", + "actor", + "created_at", + "org", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Removing self-hosted runners" }, { "action": "repo.remove_topic", "description": "A topic was removed from a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "repo_id", + "user_agent", + "topic", + "operation_type", + "user_id", + "org", + "org_id", + "actor", + "business", + "request_id", + "repo", + "@timestamp", + "created_at", + "_document_id", + "actor_id", + "business_id", + "programmatic_access_type" + ] }, { "action": "repo.rename", "description": "A repository was renamed.", "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository", + "fields": [ + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "actor", + "old_name", + "repo", + "user_id", + "created_at", + "user", + "action", + "operation_type", + "visibility", + "repo_id", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository" }, { "action": "repo.restore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "action", + "_document_id", + "actor_id", + "user", + "operation_type", + "user_agent", + "request_id", + "repo_id", + "@timestamp", + "created_at", + "actor", + "user_id" + ] }, { "action": "repo.set_actions_fork_pr_approvals_policy", "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "public_repo" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks" }, { "action": "repo.set_actions_private_fork_pr_approvals_policy", "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "policy", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories" }, { "action": "repo.set_actions_retention_limit", "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "limit", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository" }, { "action": "repo.set_default_workflow_permissions", "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository" }, { "action": "repo.set_fork_pr_workflows_policy", "description": "Triggered when the policy for workflows on private repository forks is changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks" }, { "action": "repo.set_workflow_permission_can_approve_pr", "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "visibility", + "repo", + "repo_id", + "public_repo", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests" }, { "action": "repo.staff_unlock", "description": "An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "created_at", + "actor", + "repo_id", + "action", + "org", + "org_id", + "request_id", + "repo", + "operation_type" + ] }, { "action": "repo.temporary_access_granted", "description": "Temporary access was enabled for a repository.", "docs_reference_links": "/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "repo", + "repo_id", + "public_repo", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ], "docs_reference_titles": "Accessing user-owned repositories in your enterprise" }, { "action": "repo.transfer", "description": "A user accepted a request to receive a transferred repository.", "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository", + "fields": [ + "@timestamp", + "user_id", + "_document_id", + "request_id", + "actor_id", + "repo_id", + "owner", + "user", + "old_user", + "action", + "operation_type", + "created_at", + "user_agent", + "repo", + "visibility", + "repo_was", + "actor" + ], "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository" }, { "action": "repo.transfer_outgoing", "description": "A repository was transferred to another repository network.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "new_nwo", + "visibility", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "public_repo", + "request_access_security_header" + ] }, { "action": "repo.transfer_start", "description": "A user sent a request to transfer a repository to another user or organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "operation_type", + "user_id", + "request_id", + "user", + "action", + "user_agent", + "created_at", + "actor", + "visibility", + "repo_id", + "actor_id", + "repo", + "request_access_security_header" + ] }, { "action": "repo.unarchived", "description": "A repository was unarchived.", "docs_reference_links": "/repositories/archiving-a-github-repository", + "fields": [ + "actor", + "request_id", + "actor_id", + "repo", + "operation_type", + "created_at", + "_document_id", + "repo_id", + "user", + "@timestamp", + "visibility", + "user_agent", + "user_id", + "action", + "programmatic_access_type" + ], "docs_reference_titles": "/repositories/archiving-a-github-repository" }, { "action": "repo.update_actions_access_settings", "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "policy", + "old_policy", + "repo", + "repo_id", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id" + ] }, { "action": "repo.update_actions_secret", "description": "A GitHub Actions secret was updated for a repository.", "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "oauth_application_id", + "key", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "business", + "business_id", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "Using secrets in GitHub Actions" }, { "action": "repo.update_actions_settings", "description": "A repository administrator changed GitHub Actions policy settings for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "new_policy", + "old_policy", + "updated_access_policy", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_actions_variable", "description": "A GitHub Actions variable was updated for a repository.", "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "request_access_security_header" + ], "docs_reference_titles": "Store information in variables" }, { "action": "repo.update_default_branch", "description": "The default branch for a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "visibility", + "repo", + "repo_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repo.update_integration_secret", "description": "A Codespaces or Dependabot secret was updated for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "key", + "visibility", + "integration", + "repo", + "repo_id", + "org", + "org_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "repo.update_member", "description": "A user's permission to a repository was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "_document_id", + "actor", + "repo_id", + "created_at", + "oauth_application_id", + "user", + "@timestamp", + "repo", + "operation_type", + "request_id", + "org_id", + "actor_id", + "visibility", + "old_permission", + "org", + "user_id", + "old_base_role", + "old_repo_permission", + "old_repo_base_role", + "new_repo_base_role", + "new_repo_permission", + "token_scopes", + "programmatic_access_type", + "actor_is_bot" + ] }, { "action": "repository_image.create", "description": "An image to represent a repository was uploaded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "operation_type", + "created_at", + "actor_id", + "repo_id", + "action", + "request_id", + "actor", + "content_type", + "repo", + "@timestamp", + "_document_id", + "user", + "user_id", + "request_access_security_header" + ] }, { "action": "repository_image.destroy", "description": "An image to represent a repository was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "content_type", + "created_at", + "actor_id", + "user_id", + "operation_type", + "request_id", + "_document_id", + "actor", + "repo_id", + "user_agent", + "repo", + "user", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "repository_invitation.accept", "description": "An invitation to join a repository was accepted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "created_at", + "request_id", + "repo", + "invitee", + "operation_type", + "actor", + "repo_id", + "_document_id", + "action", + "user_agent", + "inviter", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.cancel", "description": "An invitation to join a repository was canceled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "inviter", + "action", + "operation_type", + "_document_id", + "repo_id", + "repo", + "@timestamp", + "user_agent", + "invitee", + "created_at", + "request_id", + "actor", + "actor_id", + "request_access_security_header" + ] }, { "action": "repository_invitation.create", "description": "An invitation to join a repository was sent.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "actor", + "actor_id", + "@timestamp", + "invitee", + "action", + "request_id", + "inviter", + "repo", + "created_at", + "user_agent", + "repo_id", + "operation_type", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "repository_invitation.reject", "description": "An invitation to join a repository was declined.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "repo", + "_document_id", + "actor", + "invitee", + "action", + "@timestamp", + "request_id", + "actor_id", + "operation_type", + "created_at", + "inviter", + "user_agent", + "repo_id" + ] }, { "action": "repository_ruleset.create", "description": "A repository ruleset was created.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_conditions", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository" }, { "action": "repository_ruleset.destroy", "description": "A repository ruleset was deleted.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules", + "ruleset_bypass_actors", + "request_access_security_header" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset" }, { "action": "repository_ruleset.update", "description": "A repository ruleset was edited.", "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "old_name", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "ruleset_id", + "ruleset_name", + "ruleset_enforcement", + "ruleset_source_type", + "ruleset_rules_updated", + "ruleset_conditions_added", + "ruleset_conditions_deleted", + "ruleset_old_enforcement", + "ruleset_rules_added", + "ruleset_rules_deleted", + "ruleset_old_name", + "ruleset_conditions_updated", + "ruleset_bypass_actors_added", + "ruleset_bypass_actors_deleted", + "ruleset_bypass_actors_updated", + "actor_is_bot" + ], "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset" }, { "action": "security_key.register", "description": "A security key was registered for an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "created_at", + "user_id", + "action", + "operation_type", + "request_id", + "@timestamp", + "_document_id", + "actor", + "user_agent", + "request_access_security_header" + ] }, { "action": "security_key.remove", "description": "A security key was removed from an account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "operation_type", + "_document_id", + "user_agent", + "@timestamp", + "request_id", + "actor_id", + "action", + "created_at", + "user", + "request_access_security_header" + ] }, { "action": "sponsors.agreement_sign", "description": "A GitHub Sponsors agreement was signed on behalf of an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.custom_amount_settings_change", "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.fiscal_host_change", "description": "The fiscal host for a GitHub Sponsors listing was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "org", + "org_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.repo_funding_links_file_action", "description": "The FUNDING file in a repository was changed.", "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository", + "fields": [ + "@timestamp", + "action", + "created_at", + "_document_id", + "request_id", + "repository", + "repository_id", + "actor", + "user_agent", + "actor_id", + "operation_type" + ], "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository" }, { "action": "sponsors.sponsor_sponsorship_cancel", "description": "A sponsorship was canceled.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "operation_type", + "_document_id", + "created_at", + "actor", + "user", + "action", + "actor_id", + "user_id", + "@timestamp" + ], "docs_reference_titles": "Downgrading a sponsorship" }, { "action": "sponsors.sponsor_sponsorship_create", "description": "A sponsorship was created, by sponsoring an account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "actor", + "user_id", + "action", + "@timestamp", + "user_agent", + "request_id", + "user", + "operation_type", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_payment_complete", "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes", + "fields": [ + "active", + "user", + "user_id", + "actor", + "actor_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes" }, { "action": "sponsors.sponsor_sponsorship_preference_change", "description": "The option to receive email updates from a sponsored account was changed.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship", + "fields": [ + "actor_id", + "action", + "@timestamp", + "request_id", + "user_id", + "created_at", + "user", + "_document_id", + "user_agent", + "actor", + "operation_type" + ], "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship" }, { "action": "sponsors.sponsor_sponsorship_tier_change", "description": "A sponsorship was upgraded or downgraded.", "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship", + "fields": [ + "user_id", + "actor", + "actor_id", + "action", + "user", + "operation_type", + "@timestamp", + "_document_id", + "created_at" + ], "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship" }, { "action": "sponsors.sponsored_developer_approve", "description": "A GitHub Sponsors account was approved.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "action", + "user_agent", + "request_id", + "actor", + "user", + "operation_type", + "@timestamp", + "created_at", + "actor_id", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_create", "description": "A GitHub Sponsors account was created.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_id", + "operation_type", + "request_id", + "actor_id", + "@timestamp", + "_document_id", + "user", + "action", + "created_at", + "user_agent", + "actor" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_disable", "description": "A GitHub Sponsors account was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "sponsors.sponsored_developer_profile_update", "description": "The profile for GitHub Sponsors account was edited.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors", + "fields": [ + "@timestamp", + "actor_id", + "operation_type", + "created_at", + "user_agent", + "request_id", + "actor", + "action", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors" }, { "action": "sponsors.sponsored_developer_redraft", "description": "A GitHub Sponsors account was returned to draft state from approved state.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "request_id", + "user", + "action", + "user_agent", + "operation_type", + "_document_id", + "actor", + "actor_id", + "user_id" + ] }, { "action": "sponsors.sponsored_developer_request_approval", "description": "An application for GitHub Sponsors was submitted for approval.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "user_agent", + "user", + "@timestamp", + "actor_id", + "user_id", + "request_id", + "_document_id", + "actor", + "action", + "operation_type", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.sponsored_developer_tier_description_update", "description": "The description for a sponsorship tier was changed.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers", + "fields": [ + "operation_type", + "request_id", + "actor", + "user_id", + "action", + "@timestamp", + "_document_id", + "user_agent", + "actor_id", + "user", + "created_at" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers" }, { "action": "sponsors.sponsored_developer_update_newsletter_send", "description": "Triggered when you send an email update to your sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors", + "fields": [ + "request_id", + "actor", + "action", + "user_agent", + "operation_type", + "_document_id", + "created_at", + "actor_id", + "user", + "user_id", + "@timestamp" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors" }, { "action": "sponsors.sponsors_patreon_user_create", "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account" }, { "action": "sponsors.sponsors_patreon_user_destroy", "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.", "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "patreon_email", + "patreon_username", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ], "docs_reference_titles": "Unlinking your Patreon account from GitHub" }, { "action": "sponsors.update_tier_repository", "description": "A GitHub Sponsors tier changed access for a repository.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "repo", + "repo_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.update_tier_welcome_message", "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "sponsors.waitlist_join", "description": "You join the waitlist to join GitHub Sponsors.", "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account", + "fields": [ + "request_id", + "actor", + "user_id", + "user_agent", + "actor_id", + "action", + "operation_type", + "created_at", + "user", + "@timestamp", + "_document_id" + ], "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account" }, { "action": "sponsors.withdraw_agreement_signature", "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "sponsors_listing_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "successor_invitation.accept", "description": "Triggered when you accept a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.cancel", "description": "Triggered when you cancel a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.create", "description": "Triggered when you create a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.decline", "description": "Triggered when you decline a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "successor_invitation.destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "successor_invitation.revoke", "description": "Triggered when you revoke a succession invitation.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories" }, { "action": "trusted_device.register", "description": "A new trusted device was added.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "trusted_device.remove", "description": "A trusted device was removed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "two_factor_account_recovery.abort", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "action", + "request_id", + "user_id", + "@timestamp", + "_document_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "two_factor_account_recovery.complete", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "created_at", + "user_id", + "operation_type", + "user", + "_document_id", + "user_agent", + "action" + ] }, { "action": "two_factor_account_recovery.ignore", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "_document_id", + "created_at", + "user_id", + "operation_type", + "@timestamp", + "user", + "action" + ] }, { "action": "two_factor_account_recovery.staff_approve", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "action", + "_document_id" + ] }, { "action": "two_factor_account_recovery.staff_decline", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "actor", + "action", + "@timestamp", + "user_agent", + "operation_type", + "user", + "created_at", + "request_id", + "actor_id", + "_document_id" + ] }, { "action": "two_factor_account_recovery.start", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "operation_type", + "@timestamp", + "user_agent", + "request_id", + "created_at", + "user_id", + "action", + "_document_id", + "request_access_security_header" + ] }, { "action": "two_factor_account_recovery.two_factor_destroy", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "user_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "user", + "_document_id", + "request_id" + ] }, { "action": "two_factor_authentication.add_factor", "description": "A secondary authentication factor was added to a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.disabled", "description": "Two-factor authentication was disabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/disabling-two-factor-authentication-for-your-personal-account", + "fields": [ + "actor", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "actor_id", + "created_at", + "operation_type", + "request_id", + "@timestamp", + "request_access_security_header" + ], "docs_reference_titles": "Disabling two-factor authentication for your personal account" }, { "action": "two_factor_authentication.enabled", "description": "Two-factor authentication was enabled for a user account.", "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "operation_type", + "user_agent", + "action", + "created_at", + "actor_id", + "@timestamp", + "request_id", + "user", + "user_id", + "_document_id", + "request_access_security_header" + ], "docs_reference_titles": "Configuring two-factor authentication" }, { "action": "two_factor_authentication.password_reset_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user", + "user_id", + "action", + "@timestamp", + "request_id", + "_document_id", + "user_agent" + ] }, { "action": "two_factor_authentication.recovery_codes_regenerated", "description": "Two factor recovery codes were regenerated for a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "operation_type", + "_document_id", + "user_id", + "action", + "user", + "user_agent", + "actor_id", + "@timestamp", + "created_at" + ] }, { "action": "two_factor_authentication.remove_factor", "description": "A secondary authentication factor was removed from a user account.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication" }, { "action": "two_factor_authentication.sign_in_fallback_sms", "description": "A one-time password code was sent to a user account fallback phone number.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "operation_type", + "user_id", + "user", + "user_agent", + "created_at", + "_document_id", + "action", + "@timestamp" + ] }, { "action": "two_factor_authentication.update_fallback", "description": "The two-factor authentication fallback for a user account was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "created_at", + "_document_id", + "user", + "user_id", + "operation_type", + "user_agent", + "action", + "request_id", + "actor", + "actor_id" + ] }, { "action": "user.add_email", "description": "An email address was added to a user account.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account", + "fields": [ + "action", + "request_id", + "user", + "user_id", + "user_agent", + "operation_type", + "_document_id", + "actor_id", + "actor", + "email", + "@timestamp", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account" }, { "action": "user.async_delete", "description": "An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "user_id", + "created_at", + "user", + "@timestamp", + "_document_id", + "request_id", + "actor_id", + "operation_type", + "user_agent", + "action", + "request_access_security_header" + ] }, { "action": "user.audit_log_export", "description": "Audit log entries were exported.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user", + "action", + "request_id", + "actor", + "@timestamp", + "_document_id", + "user_agent", + "user_id", + "operation_type", + "created_at" + ] }, { "action": "user.block_user", "description": "A user was blocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "action", + "actor", + "user_id", + "_document_id", + "actor_id", + "@timestamp", + "user_agent", + "user", + "request_id", + "blocked_user", + "operation_type", + "created_at", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.change_password", "description": "A user changed their password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "@timestamp", + "user_agent", + "actor_id", + "operation_type", + "actor", + "user", + "user_id", + "action", + "created_at", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.codespaces_trusted_repo_access_granted", "description": "Triggered when you allow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "programmatic_access_type" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.codespaces_trusted_repo_access_revoked", "description": "Triggered when you disallow the codespaces you create for a repository to access other repositories owned by your personal account.", "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ], "docs_reference_titles": "Managing access to other repositories within your codespace" }, { "action": "user.create", "description": "A new user account was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "email", + "user_id", + "operation_type", + "@timestamp", + "request_id", + "user", + "created_at", + "_document_id", + "user_agent", + "actor", + "actor_id", + "action", + "programmatic_access_type" + ] }, { "action": "user.create_integration_secret", "description": "A user secret for Codespaces was created.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.creation_rate_limit_exceeded", "description": "The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "created_at", + "user_agent", + "_document_id", + "operation_type", + "oauth_application_id", + "action", + "actor", + "actor_id", + "request_id", + "user_id", + "@timestamp", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.delete", "description": "A user account was destroyed by an asynchronous job.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "user_agent", + "action", + "request_id", + "user_id", + "actor", + "actor_id", + "user", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.demote", "description": "A site administrator was demoted to an ordinary user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "oauth_application_id", + "action", + "user", + "created_at", + "user_agent", + "request_id", + "actor", + "actor_id", + "operation_type", + "_document_id", + "user_id", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.destroy", "description": "A user deleted his or her account, triggering user.async_delete.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "user", + "_document_id", + "created_at", + "user_agent", + "user_id", + "operation_type", + "actor_id", + "action", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.device_verification_failure", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user", + "user_agent", + "user_id", + "actor_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.device_verification_requested", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "user_id", + "actor", + "operation_type", + "created_at", + "_document_id", + "@timestamp", + "user", + "actor_id", + "action", + "request_access_security_header" + ] }, { "action": "user.device_verification_success", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "user", + "_document_id", + "action", + "operation_type", + "user_agent", + "created_at", + "request_id", + "actor", + "actor_id", + "user_id", + "request_access_security_header" + ] }, { "action": "user.disable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.disable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user_email.confirm_claim", "description": "An enterprise managed user claimed an email address.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "user_email.mark_as_unclaimed", "description": "N/A", "docs_reference_links": "An enterprise managed user unclaimed an email address.", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "business", + "business_id", + "actor_is_bot", + "request_access_security_header" + ], "docs_reference_titles": "An, GitHub Help Documentation, managed, user, unclaimed, an, email, address." }, { "action": "user.enable_collaborators_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_contributors_only", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.enable_sockpuppet_disallowed", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id" + ] }, { "action": "user.failed_login", "description": "A user tried to sign in with an incorrect username, password, or two-factor authentication code.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "operation_type", + "request_id", + "created_at", + "_document_id", + "@timestamp", + "user", + "org_id", + "actor", + "actor_id", + "user_agent" + ] }, { "action": "user.forgot_password", "description": "A user requested a password reset.", "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials", + "fields": [ + "action", + "_document_id", + "user_agent", + "request_id", + "user", + "operation_type", + "@timestamp", + "email", + "created_at", + "user_id", + "request_access_security_header" + ], "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials" }, { "action": "user.grant_github_developer", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "created_at", + "user_agent", + "@timestamp", + "_document_id", + "user", + "user_id", + "actor", + "operation_type", + "request_id" + ] }, { "action": "user.hide_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.login", "description": "A user signed in.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user_id", + "actor_id", + "@timestamp", + "user", + "action", + "operation_type", + "_document_id", + "request_id", + "created_at", + "actor", + "passkey_nickname", + "request_access_security_header" + ] }, { "action": "user.logout", "description": "A user signed out.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.new_device_used", "description": "A user signed in from a new device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "user_id", + "actor", + "operation_type", + "created_at", + "user_agent", + "actor_id", + "action", + "@timestamp", + "_document_id", + "request_id", + "request_access_security_header" + ] }, { "action": "user.promote", "description": "An ordinary user account was promoted to a site administrator.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "action", + "actor", + "actor_id", + "user", + "@timestamp", + "created_at", + "user_agent", + "oauth_application_id", + "request_id", + "operation_type", + "_document_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.recreate", "description": "A user's account was restored.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "user", + "action", + "actor_id", + "@timestamp", + "_document_id", + "request_id", + "user_id", + "created_at", + "actor", + "operation_type" + ] }, { "action": "user.remove_email", "description": "An email address was removed from a user account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "action", + "@timestamp", + "_document_id", + "request_id", + "user", + "user_id", + "operation_type", + "actor", + "actor_id", + "created_at", + "email", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.remove_integration_secret", "description": "A user secret for Codespaces was deleted.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.rename", "description": "A username was changed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "request_id", + "actor_id", + "old_login", + "created_at", + "_document_id", + "actor", + "user_id", + "@timestamp", + "operation_type", + "user_agent", + "token_scopes", + "programmatic_access_type" + ] }, { "action": "user.reset_password", "description": "A user reset their account password.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "user_agent", + "user", + "request_id", + "user_id", + "created_at", + "@timestamp", + "_document_id", + "actor", + "operation_type", + "request_access_security_header" + ] }, { "action": "user_session.country_change", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "created_at", + "request_id", + "user_id", + "action", + "@timestamp", + "_document_id", + "actor", + "actor_id", + "user", + "user_agent", + "operation_type" + ] }, { "action": "user.show_private_contributions_count", "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile", + "fields": [ + "@timestamp", + "_document_id", + "request_id", + "user_id", + "action", + "actor", + "user", + "operation_type", + "user_agent", + "actor_id", + "created_at", + "request_access_security_header" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile" }, { "action": "user.sign_in_from_unrecognized_device", "description": "A user signed in from an unrecognized device.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "action", + "_document_id", + "user_agent", + "user", + "user_id", + "operation_type", + "created_at", + "actor", + "actor_id", + "@timestamp", + "request_access_security_header" + ] }, { "action": "user.sign_in_from_unrecognized_device_and_location", "description": "A user signed in from an unrecognized device and location.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user", + "user_id", + "@timestamp", + "user_agent", + "created_at", + "_document_id", + "request_id", + "action", + "operation_type", + "request_access_security_header" + ] }, { "action": "user_status.destroy", "description": "Triggered when you clear the status on your profile.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "org", + "user_id", + "actor", + "message", + "user", + "actor_id", + "created_at", + "request_id", + "limited_availability", + "action", + "emoji", + "operation_type", + "user_agent", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user_status.update", "description": "Triggered when you set or change the status on your profile.", "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status", + "fields": [ + "limited_availability", + "user", + "action", + "actor_id", + "message", + "user_id", + "created_at", + "_document_id", + "request_id", + "@timestamp", + "user_agent", + "emoji", + "org", + "actor", + "operation_type", + "token_scopes", + "programmatic_access_type" + ], "docs_reference_titles": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status" }, { "action": "user.suspend", "description": "A user account was suspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "oauth_application_id", + "operation_type", + "actor_id", + "user", + "user_agent", + "request_id", + "actor", + "created_at", + "_document_id", + "@timestamp", + "user_id", + "action", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.toggle_warn_private_email", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "user", + "actor_id", + "@timestamp", + "operation_type", + "_document_id", + "user_agent", + "actor", + "action", + "user_id", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_failure", "description": "A 2FA challenge issued for a user account failed.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "operation_type", + "created_at", + "_document_id", + "user_agent", + "user", + "actor_id", + "actor", + "user_id", + "@timestamp", + "action", + "request_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_challenge_success", "description": "A 2FA challenge issued for a user account succeeded.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "@timestamp", + "_document_id", + "user_id", + "operation_type", + "actor_id", + "user", + "actor", + "user_agent", + "request_id", + "action", + "created_at", + "request_access_security_header" + ] }, { "action": "user.two_factor_recover", "description": "A user used their 2FA recovery codes.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "user_agent", + "request_id", + "user", + "action", + "actor", + "actor_id", + "created_at", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_downloaded", "description": "A user downloaded 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_id", + "operation_type", + "actor_id", + "user", + "request_id", + "action", + "@timestamp", + "created_at", + "user_agent", + "actor", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_recovery_codes_printed", "description": "A user printed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user", + "action", + "operation_type", + "user_agent", + "request_id", + "user_id", + "created_at", + "_document_id", + "actor", + "actor_id", + "@timestamp" + ] }, { "action": "user.two_factor_recovery_codes_viewed", "description": "A user viewed 2FA recovery codes for their account.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "user_agent", + "actor", + "user_id", + "action", + "created_at", + "user", + "operation_type", + "@timestamp", + "request_id", + "_document_id", + "request_access_security_header" + ] }, { "action": "user.two_factor_requested", "description": "A user was prompted for a two-factor authentication code.", "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication", + "fields": [ + "user", + "actor_id", + "action", + "user_agent", + "request_id", + "created_at", + "_document_id", + "user_id", + "operation_type", + "@timestamp", + "actor" + ], "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication" }, { "action": "user.unblock_user", "description": "A user was unblocked by another user.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor_id", + "action", + "request_id", + "_document_id", + "blocked_user", + "operation_type", + "actor", + "@timestamp", + "user_agent", + "user_id", + "user", + "created_at", + "request_access_security_header" + ] }, { "action": "user.unsuspend", "description": "A user account was unsuspended.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "request_id", + "_document_id", + "user", + "action", + "user_agent", + "actor", + "oauth_application_id", + "operation_type", + "actor_id", + "created_at", + "@timestamp", + "user_id", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "user.update_integration_secret", "description": "A user secret for Codespaces was updated.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "key", + "visibility", + "integration", + "user", + "user_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "user.update_new_repository_default_branch_setting", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "created_at", + "user", + "user_id", + "action", + "operation_type", + "@timestamp", + "_document_id", + "request_access_security_header" + ] }, { "action": "workflows.approve_workflow_job", "description": "A workflow job was approved.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "business", + "business_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "token_scopes", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.bypass_protection_rules", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "request_access_security_header" + ] }, { "action": "workflows.comment_workflow_job", "description": "N/A", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "token_id", + "hashed_token", + "programmatic_access_type", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "repo", + "repo_id", + "public_repo", + "org", + "org_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type" + ] }, { "action": "workflows.delete_workflow_run", "description": "A workflow run was deleted.", "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "workflow_run_id", + "started_at", + "head_branch", + "head_sha", + "trigger_id", + "programmatic_access_type" + ], "docs_reference_titles": "Deleting a workflow run" }, { "action": "workflows.disable_workflow", "description": "A workflow was disabled.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.enable_workflow", "description": "A workflow was enabled, after previously being disabled by disable_workflow.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "repo", + "repo_id", + "workflow_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ] }, { "action": "workflows.pin_workflow", "description": "A workflow was pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] }, { "action": "workflows.reject_workflow_job", "description": "A workflow job was rejected.", "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments", + "fields": [ + "user_agent", + "request_id", + "actor", + "actor_id", + "workflow_run_id", + "run_number", + "user", + "user_id", + "repo", + "repo_id", + "action", + "operation_type", + "@timestamp", + "created_at", + "_document_id", + "public_repo", + "programmatic_access_type", + "request_access_security_header" + ], "docs_reference_titles": "Reviewing deployments" }, { "action": "workflows.unpin_workflow", "description": "A workflow was unpinned after previously being pinned.", - "docs_reference_links": "N/A" + "docs_reference_links": "N/A", + "fields": [ + "actor", + "actor_id", + "user_agent", + "request_id", + "repo", + "repo_id", + "public_repo", + "workflow_id", + "org", + "org_id", + "business", + "business_id", + "action", + "_document_id", + "@timestamp", + "created_at", + "operation_type", + "actor_is_bot", + "request_access_security_header" + ] } ] \ No newline at end of file diff --git a/src/audit-logs/lib/config.json b/src/audit-logs/lib/config.json index a4aed9448c85..35f6793608a4 100644 --- a/src/audit-logs/lib/config.json +++ b/src/audit-logs/lib/config.json @@ -10,4 +10,4 @@ "sso_redirect": "Note: Automatically redirecting users to sign in is currently in beta for Enterprise Managed Users and subject to change." }, "sha": "30f9be27cbe4d9f3729f8fb335ce8b254ca3b54a" -} +} \ No newline at end of file From 7eaa98c54db587e3c65dd123aab531fb6fcffde4 Mon Sep 17 00:00:00 2001 From: docs-bot <77750099+docs-bot@users.noreply.github.com> Date: Wed, 16 Jul 2025 10:34:08 -0700 Subject: [PATCH 5/6] Update OpenAPI Description (#56668) Co-authored-by: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com> --- .../fine-grained-pat-permissions.json | 128 ++++++- .../server-to-server-permissions.json | 160 ++++++++- .../server-to-server-rest.json | 24 ++ .../fine-grained-pat-permissions.json | 50 ++- .../server-to-server-permissions.json | 66 +++- .../server-to-server-rest.json | 24 ++ src/rest/data/ghec-2022-11-28/schema.json | 36 +- .../data/ghes-3.14-2022-11-28/schema.json | 316 +++++++++--------- .../data/ghes-3.17-2022-11-28/schema.json | 144 ++++---- 9 files changed, 686 insertions(+), 262 deletions(-) diff --git a/src/github-apps/data/ghec-2022-11-28/fine-grained-pat-permissions.json b/src/github-apps/data/ghec-2022-11-28/fine-grained-pat-permissions.json index 63dead907d0e..924a90744498 100644 --- a/src/github-apps/data/ghec-2022-11-28/fine-grained-pat-permissions.json +++ b/src/github-apps/data/ghec-2022-11-28/fine-grained-pat-permissions.json @@ -2153,6 +2153,48 @@ } ] }, + "organization_secret_scanning_bypass_requests": { + "title": "Organization bypass requests for secret scanning", + "displayTitle": "Organization permissions for \"Organization bypass requests for secret scanning\"", + "permissions": [ + { + "category": "secret-scanning", + "slug": "list-bypass-requests-for-secret-scanning-for-an-org", + "subcategory": "delegated-bypass", + "verb": "get", + "requestPath": "/orgs/{org}/bypass-requests/secret-scanning", + "additional-permissions": true, + "access": "read" + }, + { + "category": "secret-scanning", + "slug": "list-bypass-requests-for-secret-scanning-for-a-repository", + "subcategory": "delegated-bypass", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning", + "additional-permissions": true, + "access": "read" + }, + { + "category": "secret-scanning", + "slug": "get-a-bypass-request-for-secret-scanning", + "subcategory": "delegated-bypass", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}", + "additional-permissions": true, + "access": "read" + }, + { + "category": "secret-scanning", + "slug": "review-a-bypass-request-for-secret-scanning", + "subcategory": "delegated-bypass", + "verb": "patch", + "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}", + "additional-permissions": true, + "access": "write" + } + ] + }, "organization_codespaces_secrets": { "title": "Organization codespaces secrets", "displayTitle": "Organization permissions for \"Organization codespaces secrets\"", @@ -2813,6 +2855,24 @@ "requestPath": "/orgs/{org}/dismissal-requests/secret-scanning", "additional-permissions": true, "access": "read" + }, + { + "category": "secret-scanning", + "slug": "list-alert-dismissal-requests-for-secret-scanning-for-a-repository", + "subcategory": "alert-dismissal-requests", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/dismissal-requests/secret-scanning", + "additional-permissions": true, + "access": "read" + }, + { + "category": "secret-scanning", + "slug": "review-an-alert-dismissal-request-for-secret-scanning", + "subcategory": "alert-dismissal-requests", + "verb": "patch", + "requestPath": "/repos/{owner}/{repo}/dismissal-requests/secret-scanning/{alert_number}", + "additional-permissions": true, + "access": "write" } ] }, @@ -5781,6 +5841,15 @@ "additional-permissions": true, "access": "read" }, + { + "category": "secret-scanning", + "slug": "list-alert-dismissal-requests-for-secret-scanning-for-a-repository", + "subcategory": "alert-dismissal-requests", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/dismissal-requests/secret-scanning", + "additional-permissions": true, + "access": "read" + }, { "category": "secret-scanning", "slug": "get-an-alert-dismissal-request-for-secret-scanning", @@ -5799,6 +5868,15 @@ "additional-permissions": true, "access": "read" }, + { + "category": "secret-scanning", + "slug": "review-an-alert-dismissal-request-for-secret-scanning", + "subcategory": "alert-dismissal-requests", + "verb": "patch", + "requestPath": "/repos/{owner}/{repo}/dismissal-requests/secret-scanning/{alert_number}", + "additional-permissions": true, + "access": "read" + }, { "category": "repos", "slug": "create-a-repository-dispatch-event", @@ -8147,6 +8225,30 @@ } ] }, + "repo_secret_scanning_dismissal_requests": { + "title": "Secret scanning alert dismissal requests", + "displayTitle": "Repository permissions for \"Secret scanning alert dismissal requests\"", + "permissions": [ + { + "category": "secret-scanning", + "slug": "list-alert-dismissal-requests-for-secret-scanning-for-a-repository", + "subcategory": "alert-dismissal-requests", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/dismissal-requests/secret-scanning", + "additional-permissions": true, + "access": "read" + }, + { + "category": "secret-scanning", + "slug": "review-an-alert-dismissal-request-for-secret-scanning", + "subcategory": "alert-dismissal-requests", + "verb": "patch", + "requestPath": "/repos/{owner}/{repo}/dismissal-requests/secret-scanning/{alert_number}", + "additional-permissions": true, + "access": "write" + } + ] + }, "secret_scanning_alerts": { "title": "Secret scanning alerts", "displayTitle": "Repository permissions for \"Secret scanning alerts\"", @@ -8157,7 +8259,7 @@ "subcategory": "delegated-bypass", "verb": "get", "requestPath": "/orgs/{org}/bypass-requests/secret-scanning", - "additional-permissions": false, + "additional-permissions": true, "access": "read" }, { @@ -8184,7 +8286,7 @@ "subcategory": "delegated-bypass", "verb": "get", "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning", - "additional-permissions": false, + "additional-permissions": true, "access": "read" }, { @@ -8193,7 +8295,7 @@ "subcategory": "delegated-bypass", "verb": "get", "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}", - "additional-permissions": false, + "additional-permissions": true, "access": "read" }, { @@ -8202,7 +8304,7 @@ "subcategory": "delegated-bypass", "verb": "patch", "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}", - "additional-permissions": false, + "additional-permissions": true, "access": "read" }, { @@ -8223,6 +8325,15 @@ "additional-permissions": true, "access": "read" }, + { + "category": "secret-scanning", + "slug": "list-alert-dismissal-requests-for-secret-scanning-for-a-repository", + "subcategory": "alert-dismissal-requests", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/dismissal-requests/secret-scanning", + "additional-permissions": true, + "access": "read" + }, { "category": "secret-scanning", "slug": "get-an-alert-dismissal-request-for-secret-scanning", @@ -8241,6 +8352,15 @@ "additional-permissions": true, "access": "read" }, + { + "category": "secret-scanning", + "slug": "review-an-alert-dismissal-request-for-secret-scanning", + "subcategory": "alert-dismissal-requests", + "verb": "patch", + "requestPath": "/repos/{owner}/{repo}/dismissal-requests/secret-scanning/{alert_number}", + "additional-permissions": true, + "access": "read" + }, { "category": "secret-scanning", "slug": "list-secret-scanning-alerts-for-a-repository", diff --git a/src/github-apps/data/ghec-2022-11-28/server-to-server-permissions.json b/src/github-apps/data/ghec-2022-11-28/server-to-server-permissions.json index 685530c21cc6..16b950c7fc01 100644 --- a/src/github-apps/data/ghec-2022-11-28/server-to-server-permissions.json +++ b/src/github-apps/data/ghec-2022-11-28/server-to-server-permissions.json @@ -2609,6 +2609,56 @@ } ] }, + "organization_secret_scanning_bypass_requests": { + "title": "Organization bypass requests for secret scanning", + "displayTitle": "Organization permissions for \"Organization bypass requests for secret scanning\"", + "permissions": [ + { + "category": "secret-scanning", + "slug": "list-bypass-requests-for-secret-scanning-for-an-org", + "subcategory": "delegated-bypass", + "verb": "get", + "requestPath": "/orgs/{org}/bypass-requests/secret-scanning", + "access": "read", + "user-to-server": true, + "server-to-server": true, + "additional-permissions": true + }, + { + "category": "secret-scanning", + "slug": "list-bypass-requests-for-secret-scanning-for-a-repository", + "subcategory": "delegated-bypass", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning", + "access": "read", + "user-to-server": true, + "server-to-server": true, + "additional-permissions": true + }, + { + "category": "secret-scanning", + "slug": "get-a-bypass-request-for-secret-scanning", + "subcategory": "delegated-bypass", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}", + "access": "read", + "user-to-server": true, + "server-to-server": true, + "additional-permissions": true + }, + { + "category": "secret-scanning", + "slug": "review-a-bypass-request-for-secret-scanning", + "subcategory": "delegated-bypass", + "verb": "patch", + "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}", + "access": "write", + "user-to-server": true, + "server-to-server": true, + "additional-permissions": true + } + ] + }, "organization_codespaces_secrets": { "title": "Organization codespaces secrets", "displayTitle": "Organization permissions for \"Organization codespaces secrets\"", @@ -3403,6 +3453,28 @@ "user-to-server": true, "server-to-server": true, "additional-permissions": true + }, + { + "category": "secret-scanning", + "slug": "list-alert-dismissal-requests-for-secret-scanning-for-a-repository", + "subcategory": "alert-dismissal-requests", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/dismissal-requests/secret-scanning", + "access": "read", + "user-to-server": true, + "server-to-server": true, + "additional-permissions": true + }, + { + "category": "secret-scanning", + "slug": "review-an-alert-dismissal-request-for-secret-scanning", + "subcategory": "alert-dismissal-requests", + "verb": "patch", + "requestPath": "/repos/{owner}/{repo}/dismissal-requests/secret-scanning/{alert_number}", + "access": "write", + "user-to-server": true, + "server-to-server": true, + "additional-permissions": true } ] }, @@ -7009,6 +7081,17 @@ "server-to-server": true, "additional-permissions": true }, + { + "category": "secret-scanning", + "slug": "list-alert-dismissal-requests-for-secret-scanning-for-a-repository", + "subcategory": "alert-dismissal-requests", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/dismissal-requests/secret-scanning", + "access": "read", + "user-to-server": true, + "server-to-server": true, + "additional-permissions": true + }, { "category": "secret-scanning", "slug": "get-an-alert-dismissal-request-for-secret-scanning", @@ -7031,6 +7114,17 @@ "server-to-server": true, "additional-permissions": true }, + { + "category": "secret-scanning", + "slug": "review-an-alert-dismissal-request-for-secret-scanning", + "subcategory": "alert-dismissal-requests", + "verb": "patch", + "requestPath": "/repos/{owner}/{repo}/dismissal-requests/secret-scanning/{alert_number}", + "access": "read", + "user-to-server": true, + "server-to-server": true, + "additional-permissions": true + }, { "category": "repos", "slug": "create-a-repository-dispatch-event", @@ -10135,6 +10229,34 @@ } ] }, + "repo_secret_scanning_dismissal_requests": { + "title": "Secret scanning alert dismissal requests", + "displayTitle": "Repository permissions for \"Secret scanning alert dismissal requests\"", + "permissions": [ + { + "category": "secret-scanning", + "slug": "list-alert-dismissal-requests-for-secret-scanning-for-a-repository", + "subcategory": "alert-dismissal-requests", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/dismissal-requests/secret-scanning", + "access": "read", + "user-to-server": true, + "server-to-server": true, + "additional-permissions": true + }, + { + "category": "secret-scanning", + "slug": "review-an-alert-dismissal-request-for-secret-scanning", + "subcategory": "alert-dismissal-requests", + "verb": "patch", + "requestPath": "/repos/{owner}/{repo}/dismissal-requests/secret-scanning/{alert_number}", + "access": "write", + "user-to-server": true, + "server-to-server": true, + "additional-permissions": true + } + ] + }, "secret_scanning_alerts": { "title": "Secret scanning alerts", "displayTitle": "Repository permissions for \"Secret scanning alerts\"", @@ -10147,8 +10269,8 @@ "requestPath": "/orgs/{org}/bypass-requests/secret-scanning", "access": "read", "user-to-server": true, - "server-to-server": false, - "additional-permissions": false + "server-to-server": true, + "additional-permissions": true }, { "category": "secret-scanning", @@ -10180,8 +10302,8 @@ "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning", "access": "read", "user-to-server": true, - "server-to-server": false, - "additional-permissions": false + "server-to-server": true, + "additional-permissions": true }, { "category": "secret-scanning", @@ -10191,8 +10313,8 @@ "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}", "access": "read", "user-to-server": true, - "server-to-server": false, - "additional-permissions": false + "server-to-server": true, + "additional-permissions": true }, { "category": "secret-scanning", @@ -10202,8 +10324,8 @@ "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}", "access": "read", "user-to-server": true, - "server-to-server": false, - "additional-permissions": false + "server-to-server": true, + "additional-permissions": true }, { "category": "secret-scanning", @@ -10227,6 +10349,17 @@ "server-to-server": true, "additional-permissions": true }, + { + "category": "secret-scanning", + "slug": "list-alert-dismissal-requests-for-secret-scanning-for-a-repository", + "subcategory": "alert-dismissal-requests", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/dismissal-requests/secret-scanning", + "access": "read", + "user-to-server": true, + "server-to-server": true, + "additional-permissions": true + }, { "category": "secret-scanning", "slug": "get-an-alert-dismissal-request-for-secret-scanning", @@ -10249,6 +10382,17 @@ "server-to-server": true, "additional-permissions": true }, + { + "category": "secret-scanning", + "slug": "review-an-alert-dismissal-request-for-secret-scanning", + "subcategory": "alert-dismissal-requests", + "verb": "patch", + "requestPath": "/repos/{owner}/{repo}/dismissal-requests/secret-scanning/{alert_number}", + "access": "read", + "user-to-server": true, + "server-to-server": true, + "additional-permissions": true + }, { "category": "secret-scanning", "slug": "list-secret-scanning-alerts-for-a-repository", diff --git a/src/github-apps/data/ghec-2022-11-28/server-to-server-rest.json b/src/github-apps/data/ghec-2022-11-28/server-to-server-rest.json index b41d8ef76418..a84eab638728 100644 --- a/src/github-apps/data/ghec-2022-11-28/server-to-server-rest.json +++ b/src/github-apps/data/ghec-2022-11-28/server-to-server-rest.json @@ -4998,6 +4998,12 @@ } ], "secret-scanning": [ + { + "slug": "list-bypass-requests-for-secret-scanning-for-an-org", + "subcategory": "delegated-bypass", + "verb": "get", + "requestPath": "/orgs/{org}/bypass-requests/secret-scanning" + }, { "slug": "list-alert-dismissal-requests-for-secret-scanning-for-an-org", "subcategory": "alert-dismissal-requests", @@ -5010,6 +5016,24 @@ "verb": "get", "requestPath": "/orgs/{org}/secret-scanning/alerts" }, + { + "slug": "list-bypass-requests-for-secret-scanning-for-a-repository", + "subcategory": "delegated-bypass", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning" + }, + { + "slug": "get-a-bypass-request-for-secret-scanning", + "subcategory": "delegated-bypass", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}" + }, + { + "slug": "review-a-bypass-request-for-secret-scanning", + "subcategory": "delegated-bypass", + "verb": "patch", + "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}" + }, { "slug": "list-alert-dismissal-requests-for-secret-scanning-for-a-repository", "subcategory": "alert-dismissal-requests", diff --git a/src/github-apps/data/ghes-3.17-2022-11-28/fine-grained-pat-permissions.json b/src/github-apps/data/ghes-3.17-2022-11-28/fine-grained-pat-permissions.json index 769ff8f6c13d..4e718d9f1334 100644 --- a/src/github-apps/data/ghes-3.17-2022-11-28/fine-grained-pat-permissions.json +++ b/src/github-apps/data/ghes-3.17-2022-11-28/fine-grained-pat-permissions.json @@ -1109,6 +1109,48 @@ } ] }, + "organization_secret_scanning_bypass_requests": { + "title": "Organization bypass requests for secret scanning", + "displayTitle": "Organization permissions for \"Organization bypass requests for secret scanning\"", + "permissions": [ + { + "category": "secret-scanning", + "slug": "list-bypass-requests-for-secret-scanning-for-an-org", + "subcategory": "delegated-bypass", + "verb": "get", + "requestPath": "/orgs/{org}/bypass-requests/secret-scanning", + "additional-permissions": true, + "access": "read" + }, + { + "category": "secret-scanning", + "slug": "list-bypass-requests-for-secret-scanning-for-a-repository", + "subcategory": "delegated-bypass", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning", + "additional-permissions": true, + "access": "read" + }, + { + "category": "secret-scanning", + "slug": "get-a-bypass-request-for-secret-scanning", + "subcategory": "delegated-bypass", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}", + "additional-permissions": true, + "access": "read" + }, + { + "category": "secret-scanning", + "slug": "review-a-bypass-request-for-secret-scanning", + "subcategory": "delegated-bypass", + "verb": "patch", + "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}", + "additional-permissions": true, + "access": "write" + } + ] + }, "organization_dependabot_secrets": { "title": "Organization dependabot secrets", "displayTitle": "Organization permissions for \"Organization dependabot secrets\"", @@ -6096,7 +6138,7 @@ "subcategory": "delegated-bypass", "verb": "get", "requestPath": "/orgs/{org}/bypass-requests/secret-scanning", - "additional-permissions": false, + "additional-permissions": true, "access": "read" }, { @@ -6114,7 +6156,7 @@ "subcategory": "delegated-bypass", "verb": "get", "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning", - "additional-permissions": false, + "additional-permissions": true, "access": "read" }, { @@ -6123,7 +6165,7 @@ "subcategory": "delegated-bypass", "verb": "get", "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}", - "additional-permissions": false, + "additional-permissions": true, "access": "read" }, { @@ -6132,7 +6174,7 @@ "subcategory": "delegated-bypass", "verb": "patch", "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}", - "additional-permissions": false, + "additional-permissions": true, "access": "read" }, { diff --git a/src/github-apps/data/ghes-3.17-2022-11-28/server-to-server-permissions.json b/src/github-apps/data/ghes-3.17-2022-11-28/server-to-server-permissions.json index e514e8e2f214..72c56669eb83 100644 --- a/src/github-apps/data/ghes-3.17-2022-11-28/server-to-server-permissions.json +++ b/src/github-apps/data/ghes-3.17-2022-11-28/server-to-server-permissions.json @@ -1345,6 +1345,56 @@ } ] }, + "organization_secret_scanning_bypass_requests": { + "title": "Organization bypass requests for secret scanning", + "displayTitle": "Organization permissions for \"Organization bypass requests for secret scanning\"", + "permissions": [ + { + "category": "secret-scanning", + "slug": "list-bypass-requests-for-secret-scanning-for-an-org", + "subcategory": "delegated-bypass", + "verb": "get", + "requestPath": "/orgs/{org}/bypass-requests/secret-scanning", + "access": "read", + "user-to-server": true, + "server-to-server": true, + "additional-permissions": true + }, + { + "category": "secret-scanning", + "slug": "list-bypass-requests-for-secret-scanning-for-a-repository", + "subcategory": "delegated-bypass", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning", + "access": "read", + "user-to-server": true, + "server-to-server": true, + "additional-permissions": true + }, + { + "category": "secret-scanning", + "slug": "get-a-bypass-request-for-secret-scanning", + "subcategory": "delegated-bypass", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}", + "access": "read", + "user-to-server": true, + "server-to-server": true, + "additional-permissions": true + }, + { + "category": "secret-scanning", + "slug": "review-a-bypass-request-for-secret-scanning", + "subcategory": "delegated-bypass", + "verb": "patch", + "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}", + "access": "write", + "user-to-server": true, + "server-to-server": true, + "additional-permissions": true + } + ] + }, "organization_dependabot_secrets": { "title": "Organization dependabot secrets", "displayTitle": "Organization permissions for \"Organization dependabot secrets\"", @@ -7652,8 +7702,8 @@ "requestPath": "/orgs/{org}/bypass-requests/secret-scanning", "access": "read", "user-to-server": true, - "server-to-server": false, - "additional-permissions": false + "server-to-server": true, + "additional-permissions": true }, { "category": "secret-scanning", @@ -7674,8 +7724,8 @@ "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning", "access": "read", "user-to-server": true, - "server-to-server": false, - "additional-permissions": false + "server-to-server": true, + "additional-permissions": true }, { "category": "secret-scanning", @@ -7685,8 +7735,8 @@ "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}", "access": "read", "user-to-server": true, - "server-to-server": false, - "additional-permissions": false + "server-to-server": true, + "additional-permissions": true }, { "category": "secret-scanning", @@ -7696,8 +7746,8 @@ "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}", "access": "read", "user-to-server": true, - "server-to-server": false, - "additional-permissions": false + "server-to-server": true, + "additional-permissions": true }, { "category": "secret-scanning", diff --git a/src/github-apps/data/ghes-3.17-2022-11-28/server-to-server-rest.json b/src/github-apps/data/ghes-3.17-2022-11-28/server-to-server-rest.json index 7c35d4f5f793..88626b8d7778 100644 --- a/src/github-apps/data/ghes-3.17-2022-11-28/server-to-server-rest.json +++ b/src/github-apps/data/ghes-3.17-2022-11-28/server-to-server-rest.json @@ -4026,12 +4026,36 @@ } ], "secret-scanning": [ + { + "slug": "list-bypass-requests-for-secret-scanning-for-an-org", + "subcategory": "delegated-bypass", + "verb": "get", + "requestPath": "/orgs/{org}/bypass-requests/secret-scanning" + }, { "slug": "list-secret-scanning-alerts-for-an-organization", "subcategory": "secret-scanning", "verb": "get", "requestPath": "/orgs/{org}/secret-scanning/alerts" }, + { + "slug": "list-bypass-requests-for-secret-scanning-for-a-repository", + "subcategory": "delegated-bypass", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning" + }, + { + "slug": "get-a-bypass-request-for-secret-scanning", + "subcategory": "delegated-bypass", + "verb": "get", + "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}" + }, + { + "slug": "review-a-bypass-request-for-secret-scanning", + "subcategory": "delegated-bypass", + "verb": "patch", + "requestPath": "/repos/{owner}/{repo}/bypass-requests/secret-scanning/{bypass_request_number}" + }, { "slug": "list-secret-scanning-alerts-for-a-repository", "subcategory": "secret-scanning", diff --git a/src/rest/data/ghec-2022-11-28/schema.json b/src/rest/data/ghec-2022-11-28/schema.json index a8321caf689d..c436d482340c 100644 --- a/src/rest/data/ghec-2022-11-28/schema.json +++ b/src/rest/data/ghec-2022-11-28/schema.json @@ -619126,7 +619126,13 @@ "permissions": [ { "\"Secret scanning alerts\" repository permissions": "read", - "\"Contents\" repository permissions": "read" + "\"Contents\" repository permissions": "read", + "\"Secret scanning alert dismissal requests\" repository permissions": "read" + }, + { + "\"Secret scanning alerts\" repository permissions": "read", + "\"Contents\" repository permissions": "read", + "\"Secret scanning alert dismissal requests\" organization permissions": "read" } ] }, @@ -619835,7 +619841,13 @@ "permissions": [ { "\"Secret scanning alerts\" repository permissions": "read", - "\"Contents\" repository permissions": "read" + "\"Contents\" repository permissions": "read", + "\"Secret scanning alert dismissal requests\" organization permissions": "write" + }, + { + "\"Secret scanning alerts\" repository permissions": "read", + "\"Contents\" repository permissions": "read", + "\"Secret scanning alert dismissal requests\" repository permissions": "write" } ] }, @@ -620003,11 +620015,12 @@ "bodyParameters": [], "progAccess": { "userToServerRest": true, - "serverToServer": false, + "serverToServer": true, "fineGrainedPat": true, "permissions": [ { - "\"Secret scanning alerts\" repository permissions": "read" + "\"Secret scanning alerts\" repository permissions": "read", + "\"Organization bypass requests for secret scanning\" organization permissions": "read" } ] }, @@ -620436,11 +620449,12 @@ "bodyParameters": [], "progAccess": { "userToServerRest": true, - "serverToServer": false, + "serverToServer": true, "fineGrainedPat": true, "permissions": [ { - "\"Secret scanning alerts\" repository permissions": "read" + "\"Secret scanning alerts\" repository permissions": "read", + "\"Organization bypass requests for secret scanning\" organization permissions": "read" } ] }, @@ -620811,11 +620825,12 @@ "bodyParameters": [], "progAccess": { "userToServerRest": true, - "serverToServer": false, + "serverToServer": true, "fineGrainedPat": true, "permissions": [ { - "\"Secret scanning alerts\" repository permissions": "read" + "\"Secret scanning alerts\" repository permissions": "read", + "\"Organization bypass requests for secret scanning\" organization permissions": "read" } ] }, @@ -621157,11 +621172,12 @@ ], "progAccess": { "userToServerRest": true, - "serverToServer": false, + "serverToServer": true, "fineGrainedPat": true, "permissions": [ { - "\"Secret scanning alerts\" repository permissions": "read" + "\"Secret scanning alerts\" repository permissions": "read", + "\"Organization bypass requests for secret scanning\" organization permissions": "write" } ] }, diff --git a/src/rest/data/ghes-3.14-2022-11-28/schema.json b/src/rest/data/ghes-3.14-2022-11-28/schema.json index 57dc04ac7c01..69f0cecd0f43 100644 --- a/src/rest/data/ghes-3.14-2022-11-28/schema.json +++ b/src/rest/data/ghes-3.14-2022-11-28/schema.json @@ -1000,13 +1000,13 @@ } ], "previews": [], + "descriptionHTML": "

Gets the total GitHub Actions cache usage for an enterprise.\nThe data fetched using this API is refreshed approximately every 5 minutes, so values returned from this endpoint may take at least 5 minutes to get updated.

\n

OAuth tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Gets the total GitHub Actions cache usage for an enterprise.\nThe data fetched using this API is refreshed approximately every 5 minutes, so values returned from this endpoint may take at least 5 minutes to get updated.

\n

OAuth tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -1080,13 +1080,13 @@ } ], "previews": [], + "descriptionHTML": "

Gets the GitHub Actions cache usage policy for an enterprise.

\n

OAuth tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Gets the GitHub Actions cache usage policy for an enterprise.

\n

OAuth tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -1152,13 +1152,13 @@ } ], "previews": [], + "descriptionHTML": "

Sets the GitHub Actions cache usage policy for an enterprise.

\n

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ], - "descriptionHTML": "

Sets the GitHub Actions cache usage policy for an enterprise.

\n

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -1364,13 +1364,13 @@ } ], "previews": [], + "descriptionHTML": "

Lists repositories and their GitHub Actions cache usage for an organization.\nThe data fetched using this API is refreshed approximately every 5 minutes, so values returned from this endpoint may take at least 5 minutes to get updated.

\n

OAuth tokens and personal access tokens (classic) need the read:org scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Lists repositories and their GitHub Actions cache usage for an organization.\nThe data fetched using this API is refreshed approximately every 5 minutes, so values returned from this endpoint may take at least 5 minutes to get updated.

\n

OAuth tokens and personal access tokens (classic) need the read:org scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -1630,13 +1630,13 @@ } ], "previews": [], + "descriptionHTML": "

Sets GitHub Actions cache usage policy for a repository.

\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ], - "descriptionHTML": "

Sets GitHub Actions cache usage policy for a repository.

\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -2088,13 +2088,13 @@ } ], "previews": [], + "descriptionHTML": "

Deletes a GitHub Actions cache for a repository, using a cache ID.

\n

OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ], - "descriptionHTML": "

Deletes a GitHub Actions cache for a repository, using a cache ID.

\n

OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" + ] } ], "oidc": [ @@ -2836,13 +2836,13 @@ } ], "previews": [], + "descriptionHTML": "

Lists the organizations that are selected to have GitHub Actions enabled in an enterprise. To use this endpoint, the enterprise permission policy for enabled_organizations must be configured to selected. For more information, see \"Set GitHub Actions permissions for an enterprise.\"

\n

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Lists the organizations that are selected to have GitHub Actions enabled in an enterprise. To use this endpoint, the enterprise permission policy for enabled_organizations must be configured to selected. For more information, see \"Set GitHub Actions permissions for an enterprise.\"

\n

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -2901,13 +2901,13 @@ } ], "previews": [], + "descriptionHTML": "

Replaces the list of selected organizations that are enabled for GitHub Actions in an enterprise. To use this endpoint, the enterprise permission policy for enabled_organizations must be configured to selected. For more information, see \"Set GitHub Actions permissions for an enterprise.\"

\n

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ], - "descriptionHTML": "

Replaces the list of selected organizations that are enabled for GitHub Actions in an enterprise. To use this endpoint, the enterprise permission policy for enabled_organizations must be configured to selected. For more information, see \"Set GitHub Actions permissions for an enterprise.\"

\n

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -3420,13 +3420,13 @@ } ], "previews": [], + "descriptionHTML": "

Gets the GitHub Actions permissions policy for repositories and allowed actions in an organization.

\n

You must authenticate using an access token with the admin:org scope to use this endpoint. GitHub Apps must have the administration organization permission to use this API.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Gets the GitHub Actions permissions policy for repositories and allowed actions in an organization.

\n

You must authenticate using an access token with the admin:org scope to use this endpoint. GitHub Apps must have the administration organization permission to use this API.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -5461,13 +5461,13 @@ } ], "previews": [], + "descriptionHTML": "

Gets the level of access that workflows outside of the repository have to actions and reusable workflows in the repository.\nThis endpoint only applies to internal and private repositories.\nFor more information, see \"Allowing access to components in a private repository\" and\n\"Allowing access to components in an internal repository.\"

\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Gets the level of access that workflows outside of the repository have to actions and reusable workflows in the repository.\nThis endpoint only applies to internal and private repositories.\nFor more information, see \"Allowing access to components in a private repository\" and\n\"Allowing access to components in an internal repository.\"

\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -5636,13 +5636,13 @@ } ], "previews": [], + "descriptionHTML": "

Gets the settings for selected actions that are allowed in a repository. To use this endpoint, the repository policy for allowed_actions must be configured to selected. For more information, see \"Set GitHub Actions permissions for a repository.\"

\n

You must authenticate using an access token with the repo scope to use this endpoint. GitHub Apps must have the administration repository permission to use this API.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Gets the settings for selected actions that are allowed in a repository. To use this endpoint, the repository policy for allowed_actions must be configured to selected. For more information, see \"Set GitHub Actions permissions for a repository.\"

\n

You must authenticate using an access token with the repo scope to use this endpoint. GitHub Apps must have the administration repository permission to use this API.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -5818,13 +5818,13 @@ } ], "previews": [], + "descriptionHTML": "

Gets the default workflow permissions granted to the GITHUB_TOKEN when running workflows in a repository,\nas well as if GitHub Actions can submit approving pull request reviews.\nFor more information, see \"Setting the permissions of the GITHUB_TOKEN for your repository.\"

\n

OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Gets the default workflow permissions granted to the GITHUB_TOKEN when running workflows in a repository,\nas well as if GitHub Actions can submit approving pull request reviews.\nFor more information, see \"Setting the permissions of the GITHUB_TOKEN for your repository.\"

\n

OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -7484,13 +7484,13 @@ } ], "previews": [], + "descriptionHTML": "

Lists all repositories that have been selected when the visibility\nfor repository access to a secret is set to selected.

\n

Authenticated users must have collaborator access to a repository to create, update, or read secrets.

\n

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint. If the repository is private, the repo scope is also required.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Lists all repositories that have been selected when the visibility\nfor repository access to a secret is set to selected.

\n

Authenticated users must have collaborator access to a repository to create, update, or read secrets.

\n

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint. If the repository is private, the repo scope is also required.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -8427,13 +8427,13 @@ } ], "previews": [], + "descriptionHTML": "

Deletes a secret in a repository using the secret name.

\n

Authenticated users must have collaborator access to a repository to create, update, or read secrets.

\n

OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ], - "descriptionHTML": "

Deletes a secret in a repository using the secret name.

\n

Authenticated users must have collaborator access to a repository to create, update, or read secrets.

\n

OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -9238,13 +9238,13 @@ } ], "previews": [], + "descriptionHTML": "

Lists all self-hosted runner groups for an enterprise.

\n

OAuth app tokens and personal access tokens (classic) need the manage_runners:enterprise scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Lists all self-hosted runner groups for an enterprise.

\n

OAuth app tokens and personal access tokens (classic) need the manage_runners:enterprise scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -9421,13 +9421,13 @@ } ], "previews": [], + "descriptionHTML": "

Creates a new self-hosted runner group for an enterprise.

\n

OAuth app tokens and personal access tokens (classic) need the manage_runners:enterprise scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "201", "description": "

Created

" } - ], - "descriptionHTML": "

Creates a new self-hosted runner group for an enterprise.

\n

OAuth app tokens and personal access tokens (classic) need the manage_runners:enterprise scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -9784,13 +9784,13 @@ } ], "previews": [], + "descriptionHTML": "

Deletes a self-hosted runner group for an enterprise.

\n

OAuth app tokens and personal access tokens (classic) need the manage_runners:enterprise scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ], - "descriptionHTML": "

Deletes a self-hosted runner group for an enterprise.

\n

OAuth app tokens and personal access tokens (classic) need the manage_runners:enterprise scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -9996,13 +9996,13 @@ } ], "previews": [], + "descriptionHTML": "

Lists the organizations with access to a self-hosted runner group.

\n

OAuth app tokens and personal access tokens (classic) need the manage_runners:enterprise scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Lists the organizations with access to a self-hosted runner group.

\n

OAuth app tokens and personal access tokens (classic) need the manage_runners:enterprise scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -11399,13 +11399,13 @@ } ], "previews": [], + "descriptionHTML": "

Updates the name and visibility of a self-hosted runner group in an organization.

\n

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Updates the name and visibility of a self-hosted runner group in an organization.

\n

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -13092,13 +13092,13 @@ } ], "previews": [], + "descriptionHTML": "

Lists self-hosted runners that are in a specific organization group.

\n

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Lists self-hosted runners that are in a specific organization group.

\n

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -14976,13 +14976,13 @@ } ], "previews": [], + "descriptionHTML": "

Returns a token that you can pass to the config script. The token expires after one hour.

\n

Example using registration token:

\n

Configure your self-hosted runner, replacing TOKEN with the registration token provided by this endpoint.

\n
./config.sh --url https://github.com/enterprises/octo-enterprise --token TOKEN\n
\n

OAuth app tokens and personal access tokens (classic) need the manage_runners:enterprise scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "201", "description": "

Created

" } - ], - "descriptionHTML": "

Returns a token that you can pass to the config script. The token expires after one hour.

\n

Example using registration token:

\n

Configure your self-hosted runner, replacing TOKEN with the registration token provided by this endpoint.

\n
./config.sh --url https://github.com/enterprises/octo-enterprise --token TOKEN\n
\n

OAuth app tokens and personal access tokens (classic) need the manage_runners:enterprise scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -19721,13 +19721,13 @@ } ], "previews": [], + "descriptionHTML": "

Returns a token that you can pass to the config script to remove a self-hosted runner from an organization. The token expires after one hour.

\n

For example, you can replace TOKEN in the following example with the registration token provided by this endpoint to remove your self-hosted runner from an organization:

\n
./config.sh remove --token TOKEN\n
\n

Authenticated users must have admin access to the organization to use this endpoint.

\n

OAuth tokens and personal access tokens (classic) need theadmin:org scope to use this endpoint. If the repository is private, OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "201", "description": "

Created

" } - ], - "descriptionHTML": "

Returns a token that you can pass to the config script to remove a self-hosted runner from an organization. The token expires after one hour.

\n

For example, you can replace TOKEN in the following example with the registration token provided by this endpoint to remove your self-hosted runner from an organization:

\n
./config.sh remove --token TOKEN\n
\n

Authenticated users must have admin access to the organization to use this endpoint.

\n

OAuth tokens and personal access tokens (classic) need theadmin:org scope to use this endpoint. If the repository is private, OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -23670,13 +23670,13 @@ } ], "previews": [], + "descriptionHTML": "

Gets a specific self-hosted runner configured in a repository.

\n

Authenticated users must have admin access to the repository to use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Gets a specific self-hosted runner configured in a repository.

\n

Authenticated users must have admin access to the repository to use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -24213,6 +24213,7 @@ } ], "previews": [], + "descriptionHTML": "

Remove all previous custom labels and set the new custom labels for a specific\nself-hosted runner configured in a repository.

\n

Authenticated users must have admin access to the repository to use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", @@ -24226,8 +24227,7 @@ "httpStatusCode": "422", "description": "

Validation failed, or the endpoint has been spammed.

" } - ], - "descriptionHTML": "

Remove all previous custom labels and set the new custom labels for a specific\nself-hosted runner configured in a repository.

\n

Authenticated users must have admin access to the repository to use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -24697,13 +24697,13 @@ } ], "previews": [], + "descriptionHTML": "

Lists all organization variables.

\n

Authenticated users must have collaborator access to a repository to create, update, or read variables.

\n

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint. If the repository is private, the repo scope is also required.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Lists all organization variables.

\n

Authenticated users must have collaborator access to a repository to create, update, or read variables.

\n

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint. If the repository is private, the repo scope is also required.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -27029,13 +27029,13 @@ } ], "previews": [], + "descriptionHTML": "

Deletes a repository variable using the variable name.

\n

Authenticated users must have collaborator access to a repository to create, update, or read variables.

\n

OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ], - "descriptionHTML": "

Deletes a repository variable using the variable name.

\n

Authenticated users must have collaborator access to a repository to create, update, or read variables.

\n

OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -28108,13 +28108,13 @@ } ], "previews": [], + "descriptionHTML": "

Gets a specific job in a workflow run.

\n

Anyone with read access to the repository can use this endpoint.

\n

If the repository is private, OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Gets a specific job in a workflow run.

\n

Anyone with read access to the repository can use this endpoint.

\n

If the repository is private, OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -38174,13 +38174,13 @@ } ], "previews": [], + "descriptionHTML": "

Gets a specific workflow run attempt.

\n

Anyone with read access to the repository can use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint with a private repository.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Gets a specific workflow run attempt.

\n

Anyone with read access to the repository can use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint with a private repository.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -38259,13 +38259,13 @@ } ], "previews": [], + "descriptionHTML": "

Gets a redirect URL to download an archive of log files for a specific workflow run attempt. This link expires after\n1 minute. Look for Location: in the response header to find the URL for the download.

\n

Anyone with read access to the repository can use this endpoint.

\n

If the repository is private, OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "302", "description": "

Found

" } - ], - "descriptionHTML": "

Gets a redirect URL to download an archive of log files for a specific workflow run attempt. This link expires after\n1 minute. Look for Location: in the response header to find the URL for the download.

\n

Anyone with read access to the repository can use this endpoint.

\n

If the repository is private, OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -40153,13 +40153,13 @@ } ], "previews": [], + "descriptionHTML": "

Approve or reject pending deployments that are waiting on approval by a required reviewer.

\n

Required reviewers with read access to the repository contents and deployments can use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Approve or reject pending deployments that are waiting on approval by a required reviewer.

\n

Required reviewers with read access to the repository contents and deployments can use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -43697,13 +43697,13 @@ } ], "previews": [], + "descriptionHTML": "

Disables a workflow and sets the state of the workflow to disabled_manually. You can replace workflow_id with the workflow file name. For example, you could use main.yaml.

\n

OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ], - "descriptionHTML": "

Disables a workflow and sets the state of the workflow to disabled_manually. You can replace workflow_id with the workflow file name. For example, you could use main.yaml.

\n

OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -43881,13 +43881,13 @@ } ], "previews": [], + "descriptionHTML": "

Enables a workflow and sets the state of the workflow to active. You can replace workflow_id with the workflow file name. For example, you could use main.yaml.

\n

OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ], - "descriptionHTML": "

Enables a workflow and sets the state of the workflow to active. You can replace workflow_id with the workflow file name. For example, you could use main.yaml.

\n

OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" + ] } ] }, @@ -80730,13 +80730,13 @@ } ], "previews": [], + "descriptionHTML": "

Marks a thread as \"done.\" Marking a thread as \"done\" is equivalent to marking a notification in your notification inbox on GitHub Enterprise Server as done: https://github.com/notifications.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No content

" } - ], - "descriptionHTML": "

Marks a thread as \"done.\" Marking a thread as \"done\" is equivalent to marking a notification in your notification inbox on GitHub Enterprise Server as done: https://github.com/notifications.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -80992,6 +80992,7 @@ } ], "previews": [], + "descriptionHTML": "

If you are watching a repository, you receive notifications for all threads by default. Use this endpoint to ignore future notifications for threads until you comment on the thread or get an @mention.

\n

You can also use this endpoint to subscribe to threads that you are currently not receiving notifications for or to subscribed to threads that you have previously ignored.

\n

Unsubscribing from a conversation in a repository that you are not watching is functionally equivalent to the Delete a thread subscription endpoint.

", "statusCodes": [ { "httpStatusCode": "200", @@ -81009,8 +81010,7 @@ "httpStatusCode": "403", "description": "

Forbidden

" } - ], - "descriptionHTML": "

If you are watching a repository, you receive notifications for all threads by default. Use this endpoint to ignore future notifications for threads until you comment on the thread or get an @mention.

\n

You can also use this endpoint to subscribe to threads that you are currently not receiving notifications for or to subscribed to threads that you have previously ignored.

\n

Unsubscribing from a conversation in a repository that you are not watching is functionally equivalent to the Delete a thread subscription endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -123751,13 +123751,13 @@ } ], "previews": [], + "descriptionHTML": "

Protected branches are available in public repositories with GitHub Free and GitHub Free for organizations, and in public and private repositories with GitHub Pro, GitHub Team, GitHub Enterprise Cloud, and GitHub Enterprise Server. For more information, see GitHub's products in the GitHub Help documentation.

\n

Adding admin enforcement requires admin or owner permissions to the repository and branch protection to be enabled.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Protected branches are available in public repositories with GitHub Free and GitHub Free for organizations, and in public and private repositories with GitHub Pro, GitHub Team, GitHub Enterprise Cloud, and GitHub Enterprise Server. For more information, see GitHub's products in the GitHub Help documentation.

\n

Adding admin enforcement requires admin or owner permissions to the repository and branch protection to be enabled.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -123826,6 +123826,7 @@ } ], "previews": [], + "descriptionHTML": "

Protected branches are available in public repositories with GitHub Free and GitHub Free for organizations, and in public and private repositories with GitHub Pro, GitHub Team, GitHub Enterprise Cloud, and GitHub Enterprise Server. For more information, see GitHub's products in the GitHub Help documentation.

\n

Removing admin enforcement requires admin or owner permissions to the repository and branch protection to be enabled.

", "statusCodes": [ { "httpStatusCode": "204", @@ -123835,8 +123836,7 @@ "httpStatusCode": "404", "description": "

Resource not found

" } - ], - "descriptionHTML": "

Protected branches are available in public repositories with GitHub Free and GitHub Free for organizations, and in public and private repositories with GitHub Pro, GitHub Team, GitHub Enterprise Cloud, and GitHub Enterprise Server. For more information, see GitHub's products in the GitHub Help documentation.

\n

Removing admin enforcement requires admin or owner permissions to the repository and branch protection to be enabled.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -133871,6 +133871,7 @@ } ], "previews": [], + "descriptionHTML": "

Protected branches are available in public repositories with GitHub Free and GitHub Free for organizations, and in public and private repositories with GitHub Pro, GitHub Team, GitHub Enterprise Cloud, and GitHub Enterprise Server. For more information, see GitHub's products in the GitHub Help documentation.

\n

Removes the ability of a user to push to this branch.

\n\n\n\n\n\n\n\n\n\n\n\n\n\n
TypeDescription
arrayUsernames of the people who should no longer have push access. Note: The list of users, apps, and teams in total is limited to 100 items.
", "statusCodes": [ { "httpStatusCode": "200", @@ -133880,8 +133881,7 @@ "httpStatusCode": "422", "description": "

Validation failed, or the endpoint has been spammed.

" } - ], - "descriptionHTML": "

Protected branches are available in public repositories with GitHub Free and GitHub Free for organizations, and in public and private repositories with GitHub Pro, GitHub Team, GitHub Enterprise Cloud, and GitHub Enterprise Server. For more information, see GitHub's products in the GitHub Help documentation.

\n

Removes the ability of a user to push to this branch.

\n\n\n\n\n\n\n\n\n\n\n\n\n\n
TypeDescription
arrayUsernames of the people who should no longer have push access. Note: The list of users, apps, and teams in total is limited to 100 items.
" + ] } ] }, @@ -138185,13 +138185,13 @@ } ], "previews": [], + "descriptionHTML": "

Gets a single check run using its id.

\n

Note

\n

\nThe Checks API only looks for pushes in the repository where the check suite or check run were created. Pushes to a branch in a forked repository are not detected and return an empty pull_requests array.

\n
\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint on a private repository.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Gets a single check run using its id.

\n

Note

\n

\nThe Checks API only looks for pushes in the repository where the check suite or check run were created. Pushes to a branch in a forked repository are not detected and return an empty pull_requests array.

\n
\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint on a private repository.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -141535,13 +141535,13 @@ } ], "previews": [], + "descriptionHTML": "

Lists check runs for a check suite using its id.

\n

Note

\n

\nThe endpoints to manage checks only look for pushes in the repository where the check suite or check run were created. Pushes to a branch in a forked repository are not detected and return an empty pull_requests array.

\n
\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint on a private repository.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Lists check runs for a check suite using its id.

\n

Note

\n

\nThe endpoints to manage checks only look for pushes in the repository where the check suite or check run were created. Pushes to a branch in a forked repository are not detected and return an empty pull_requests array.

\n
\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint on a private repository.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -147997,13 +147997,13 @@ } ], "previews": [], + "descriptionHTML": "

Changes the default automatic flow when creating check suites. By default, a check suite is automatically created each time code is pushed to a repository. When you disable the automatic creation of check suites, you can manually Create a check suite.\nYou must have admin permissions in the repository to set preferences for check suites.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Changes the default automatic flow when creating check suites. By default, a check suite is automatically created each time code is pushed to a repository. When you disable the automatic creation of check suites, you can manually Create a check suite.\nYou must have admin permissions in the repository to set preferences for check suites.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -149934,13 +149934,13 @@ } ], "previews": [], + "descriptionHTML": "

Gets a single check suite using its id.

\n

Note

\n

\nThe Checks API only looks for pushes in the repository where the check suite or check run were created. Pushes to a branch in a forked repository are not detected and return an empty pull_requests array and a null value for head_branch.

\n
\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint on a private repository.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Gets a single check suite using its id.

\n

Note

\n

\nThe Checks API only looks for pushes in the repository where the check suite or check run were created. Pushes to a branch in a forked repository are not detected and return an empty pull_requests array and a null value for head_branch.

\n
\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint on a private repository.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -163363,13 +163363,13 @@ } ], "previews": [], + "descriptionHTML": "", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ], - "descriptionHTML": "" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -185555,13 +185555,13 @@ } ], "previews": [], + "descriptionHTML": "

Lists all secrets available in an organization without revealing their\nencrypted values.

\n

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Lists all secrets available in an organization without revealing their\nencrypted values.

\n

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -195089,13 +195089,13 @@ } ], "previews": [], + "descriptionHTML": "

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

Default response

" } - ], - "descriptionHTML": "

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" + ] } ], "protection-rules": [ @@ -200792,13 +200792,13 @@ } ], "previews": [], + "descriptionHTML": "", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -200855,13 +200855,13 @@ } ], "previews": [], + "descriptionHTML": "", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -201112,13 +201112,13 @@ } ], "previews": [], + "descriptionHTML": "", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -201311,13 +201311,13 @@ } ], "previews": [], + "descriptionHTML": "", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -204159,13 +204159,13 @@ } ], "previews": [], + "descriptionHTML": "", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "" + ] } ], "manage-ghes": [ @@ -208320,13 +208320,13 @@ } ], "previews": [], + "descriptionHTML": "", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -208430,13 +208430,13 @@ } ], "previews": [], + "descriptionHTML": "

For pre-receive hooks which are allowed to be configured at the org level, you can set enforcement and allow_downstream_configuration

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

For pre-receive hooks which are allowed to be configured at the org level, you can set enforcement and allow_downstream_configuration

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -210565,13 +210565,13 @@ } ], "previews": [], + "descriptionHTML": "

List all pre-receive hooks that are enabled or testing for this repository as well as any disabled hooks that are allowed to be enabled at the repository level. Pre-receive hooks that are disabled at a higher level and are not configurable will not be listed.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

List all pre-receive hooks that are enabled or testing for this repository as well as any disabled hooks that are allowed to be enabled at the repository level. Pre-receive hooks that are disabled at a higher level and are not configurable will not be listed.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -210875,13 +210875,13 @@ } ], "previews": [], + "descriptionHTML": "

Deletes any overridden enforcement on this repository for the specified hook.

\n

Responds with effective values inherited from owner and/or global level.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

Responds with effective values inherited from owner and/or global level.

" } - ], - "descriptionHTML": "

Deletes any overridden enforcement on this repository for the specified hook.

\n

Responds with effective values inherited from owner and/or global level.

" + ] } ], "scim": [ @@ -269015,13 +269015,13 @@ } ], "previews": [], + "descriptionHTML": "

You can use the REST API to delete comments on issues and pull requests. Every pull request is an issue, but not every issue is a pull request.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ], - "descriptionHTML": "

You can use the REST API to delete comments on issues and pull requests. Every pull request is an issue, but not every issue is a pull request.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -313190,6 +313190,7 @@ } ], "previews": [], + "descriptionHTML": "

You must send Markdown as plain text (using a Content-Type header of text/plain or text/x-markdown) to this endpoint, rather than using JSON format. In raw mode, GitHub Flavored Markdown is not supported and Markdown will be rendered in plain format like a README.md file. Markdown content must be 400 KB or less.

", "statusCodes": [ { "httpStatusCode": "200", @@ -313199,8 +313200,7 @@ "httpStatusCode": "304", "description": "

Not modified

" } - ], - "descriptionHTML": "

You must send Markdown as plain text (using a Content-Type header of text/plain or text/x-markdown) to this endpoint, rather than using JSON format. In raw mode, GitHub Flavored Markdown is not supported and Markdown will be rendered in plain format like a README.md file. Markdown content must be 400 KB or less.

" + ] } ] }, @@ -313444,13 +313444,13 @@ } ], "previews": [], + "descriptionHTML": "

Get Hypermedia links to resources accessible in GitHub's REST API

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Get Hypermedia links to resources accessible in GitHub's REST API

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -313687,13 +313687,13 @@ } ], "previews": [], + "descriptionHTML": "

Get the octocat as ASCII art

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Get the octocat as ASCII art

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -319063,6 +319063,7 @@ } ], "previews": [], + "descriptionHTML": "

Fetches the status of a migration.

\n

The state of a migration can be one of the following values:

\n
    \n
  • pending, which means the migration hasn't started yet.
    • \n
  • exporting, which means the migration is in progress.
    • \n
  • exported, which means the migration finished successfully.
    • \n
  • failed, which means the migration failed.
    • \n
", "statusCodes": [ { "httpStatusCode": "200", @@ -319072,8 +319073,7 @@ "httpStatusCode": "404", "description": "

Resource not found

" } - ], - "descriptionHTML": "

Fetches the status of a migration.

\n

The state of a migration can be one of the following values:

\n
    \n
  • pending, which means the migration hasn't started yet.
    • \n
  • exporting, which means the migration is in progress.
    • \n
  • exported, which means the migration finished successfully.
    • \n
  • failed, which means the migration failed.
    • \n
" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -335325,13 +335325,13 @@ } ], "previews": [], + "descriptionHTML": "

Gets the audit log for an organization. For more information, see \"Reviewing the audit log for your organization.\"

\n

By default, the response includes up to 30 events from the past three months. Use the phrase parameter to filter results and retrieve older events. For example, use the phrase parameter with the created qualifier to filter events based on when the events occurred. For more information, see \"Reviewing the audit log for your organization.\"

\n

Use pagination to retrieve fewer or more than 30 events. For more information, see \"Using pagination in the REST API.\"

\n

The authenticated user must be an organization owner to use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the read:audit_log scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Gets the audit log for an organization. For more information, see \"Reviewing the audit log for your organization.\"

\n

By default, the response includes up to 30 events from the past three months. Use the phrase parameter to filter results and retrieve older events. For example, use the phrase parameter with the created qualifier to filter events based on when the events occurred. For more information, see \"Reviewing the audit log for your organization.\"

\n

Use pagination to retrieve fewer or more than 30 events. For more information, see \"Using pagination in the REST API.\"

\n

The authenticated user must be an organization owner to use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the read:audit_log scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -341852,13 +341852,13 @@ } ], "previews": [], + "descriptionHTML": "

Members of an organization can choose to have their membership publicized or not.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Members of an organization can choose to have their membership publicized or not.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -344669,13 +344669,13 @@ } ], "previews": [], + "descriptionHTML": "

Revokes all assigned organization roles from a user. For more information on organization roles, see \"Using organization roles.\"

\n

The authenticated user must be an administrator for the organization to use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ], - "descriptionHTML": "

Revokes all assigned organization roles from a user. For more information on organization roles, see \"Using organization roles.\"

\n

The authenticated user must be an administrator for the organization to use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -344825,13 +344825,13 @@ } ], "previews": [], + "descriptionHTML": "

Remove an organization role from a user. For more information on organization roles, see \"Using organization roles.\"

\n

The authenticated user must be an administrator for the organization to use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ], - "descriptionHTML": "

Remove an organization role from a user. For more information on organization roles, see \"Using organization roles.\"

\n

The authenticated user must be an administrator for the organization to use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -346822,6 +346822,7 @@ } ], "previews": [], + "descriptionHTML": "

Removing a user from this list will remove them from all the organization's repositories.

", "statusCodes": [ { "httpStatusCode": "204", @@ -346831,8 +346832,7 @@ "httpStatusCode": "422", "description": "

Unprocessable Entity if user is a member of the organization

" } - ], - "descriptionHTML": "

Removing a user from this list will remove them from all the organization's repositories.

" + ] } ], "personal-access-tokens": [ @@ -357451,6 +357451,7 @@ } ], "previews": [], + "descriptionHTML": "

Delete a ruleset for an organization.

", "statusCodes": [ { "httpStatusCode": "204", @@ -357464,8 +357465,7 @@ "httpStatusCode": "500", "description": "

Internal Error

" } - ], - "descriptionHTML": "

Delete a ruleset for an organization.

" + ] } ], "security-managers": [ @@ -357775,13 +357775,13 @@ } ], "previews": [], + "descriptionHTML": "

Removes the security manager role from a team for an organization. For more information, see \"Managing security managers in your organization team from an organization.\"

\n

The authenticated user must be an administrator for the organization to use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ], - "descriptionHTML": "

Removes the security manager role from a team for an organization. For more information, see \"Managing security managers in your organization team from an organization.\"

\n

The authenticated user must be an administrator for the organization to use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

" + ] } ], "webhooks": [ @@ -374732,13 +374732,13 @@ } ], "previews": [], + "descriptionHTML": "

You can request that your site be built from the latest revision on the default branch. This has the same effect as pushing a commit to your default branch, but does not require an additional commit. Manually triggering page builds can be helpful when diagnosing build warnings and failures.

\n

Build requests are limited to one concurrent build per repository and one concurrent build per requester. If you request a build while another is still in progress, the second request will be queued until the first completes.

", "statusCodes": [ { "httpStatusCode": "201", "description": "

Created

" } - ], - "descriptionHTML": "

You can request that your site be built from the latest revision on the default branch. This has the same effect as pushing a commit to your default branch, but does not require an additional commit. Manually triggering page builds can be helpful when diagnosing build warnings and failures.

\n

Build requests are limited to one concurrent build per repository and one concurrent build per requester. If you request a build while another is still in progress, the second request will be queued until the first completes.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -405640,13 +405640,13 @@ } ], "previews": [], + "descriptionHTML": "

Edits the content of a specified review comment.

\n

This endpoint supports the following custom media types. For more information, see \"Media types.\"

\n
    \n
  • application/vnd.github-commitcomment.raw+json: Returns the raw markdown body. Response will include body. This is the default if you do not pass any specific media type.
    • \n
  • application/vnd.github-commitcomment.text+json: Returns a text only representation of the markdown body. Response will include body_text.
    • \n
  • application/vnd.github-commitcomment.html+json: Returns HTML rendered from the body's markdown. Response will include body_html.
    • \n
  • application/vnd.github-commitcomment.full+json: Returns raw, text, and HTML representations. Response will include body, body_text, and body_html.
    • \n
", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Edits the content of a specified review comment.

\n

This endpoint supports the following custom media types. For more information, see \"Media types.\"

\n
    \n
  • application/vnd.github-commitcomment.raw+json: Returns the raw markdown body. Response will include body. This is the default if you do not pass any specific media type.
    • \n
  • application/vnd.github-commitcomment.text+json: Returns a text only representation of the markdown body. Response will include body_text.
    • \n
  • application/vnd.github-commitcomment.html+json: Returns HTML rendered from the body's markdown. Response will include body_html.
    • \n
  • application/vnd.github-commitcomment.full+json: Returns raw, text, and HTML representations. Response will include body, body_text, and body_html.
    • \n
" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -417856,6 +417856,7 @@ } ], "previews": [], + "descriptionHTML": "

Removes review requests from a pull request for a given set of users and/or teams.

", "statusCodes": [ { "httpStatusCode": "200", @@ -417865,8 +417866,7 @@ "httpStatusCode": "422", "description": "

Validation failed, or the endpoint has been spammed.

" } - ], - "descriptionHTML": "

Removes review requests from a pull request for a given set of users and/or teams.

" + ] } ], "reviews": [ @@ -425378,13 +425378,13 @@ } ], "previews": [], + "descriptionHTML": "

Note

\n

\nYou can also specify a repository by repository_id using the route DELETE /repositories/:repository_id/comments/:comment_id/reactions/:reaction_id.

\n
\n

Delete a reaction to a commit comment.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ], - "descriptionHTML": "

Note

\n

\nYou can also specify a repository by repository_id using the route DELETE /repositories/:repository_id/comments/:comment_id/reactions/:reaction_id.

\n
\n

Delete a reaction to a commit comment.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -454531,13 +454531,13 @@ } ], "previews": [], + "descriptionHTML": "", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -456207,13 +456207,13 @@ } ], "previews": [], + "descriptionHTML": "

A transfer request will need to be accepted by the new owner when transferring a personal repository to another user. The response will contain the original owner, and the transfer will continue asynchronously. For more details on the requirements to transfer personal and organization-owned repositories, see about repository transfers.

", "statusCodes": [ { "httpStatusCode": "202", "description": "

Accepted

" } - ], - "descriptionHTML": "

A transfer request will need to be accepted by the new owner when transferring a personal repository to another user. The response will contain the original owner, and the transfer will continue asynchronously. For more details on the requirements to transfer personal and organization-owned repositories, see about repository transfers.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -469290,13 +469290,13 @@ } ], "previews": [], + "descriptionHTML": "

Gets all autolinks that are configured for a repository.

\n

Information about autolinks are only available to repository administrators.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Gets all autolinks that are configured for a repository.

\n

Information about autolinks are only available to repository administrators.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -508675,13 +508675,13 @@ } ], "previews": [], + "descriptionHTML": "

Lists the organization projects for a team.

\n

Note

\n

\nYou can also specify a team by org_id and team_id using the route GET /organizations/{org_id}/team/{team_id}/projects.

\n
", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Lists the organization projects for a team.

\n

Note

\n

\nYou can also specify a team by org_id and team_id using the route GET /organizations/{org_id}/team/{team_id}/projects.

\n
" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -511415,13 +511415,13 @@ } ], "previews": [], + "descriptionHTML": "

To add a repository to a team or update the team's permission on a repository, the authenticated user must have admin access to the repository, and must be able to see the team. The repository must be owned by the organization, or a direct fork of a repository owned by the organization. You will get a 422 Unprocessable Entity status if you attempt to add a repository to a team that is not owned by the organization. Note that, if you choose not to pass any parameters, you'll need to set Content-Length to zero when calling out to this endpoint. For more information, see \"HTTP method.\"

\n

Note

\n

\nYou can also specify a team by org_id and team_id using the route PUT /organizations/{org_id}/team/{team_id}/repos/{owner}/{repo}.

\n
\n

For more information about the permission levels, see \"Repository permission levels for an organization\".

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ], - "descriptionHTML": "

To add a repository to a team or update the team's permission on a repository, the authenticated user must have admin access to the repository, and must be able to see the team. The repository must be owned by the organization, or a direct fork of a repository owned by the organization. You will get a 422 Unprocessable Entity status if you attempt to add a repository to a team that is not owned by the organization. Note that, if you choose not to pass any parameters, you'll need to set Content-Length to zero when calling out to this endpoint. For more information, see \"HTTP method.\"

\n

Note

\n

\nYou can also specify a team by org_id and team_id using the route PUT /organizations/{org_id}/team/{team_id}/repos/{owner}/{repo}.

\n
\n

For more information about the permission levels, see \"Repository permission levels for an organization\".

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -511489,13 +511489,13 @@ } ], "previews": [], + "descriptionHTML": "

If the authenticated user is an organization owner or a team maintainer, they can remove any repositories from the team. To remove a repository from a team as an organization member, the authenticated user must have admin access to the repository and must be able to see the team. This does not delete the repository, it just removes it from the team.

\n

Note

\n

\nYou can also specify a team by org_id and team_id using the route DELETE /organizations/{org_id}/team/{team_id}/repos/{owner}/{repo}.

\n
", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ], - "descriptionHTML": "

If the authenticated user is an organization owner or a team maintainer, they can remove any repositories from the team. To remove a repository from a team as an organization member, the authenticated user must have admin access to the repository and must be able to see the team. This does not delete the repository, it just removes it from the team.

\n

Note

\n

\nYou can also specify a team by org_id and team_id using the route DELETE /organizations/{org_id}/team/{team_id}/repos/{owner}/{repo}.

\n
" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -511805,13 +511805,13 @@ } ], "previews": [], + "descriptionHTML": "

Lists the child teams of the team specified by {team_slug}.

\n

Note

\n

\nYou can also specify a team by org_id and team_id using the route GET /organizations/{org_id}/team/{team_id}/teams.

\n
", "statusCodes": [ { "httpStatusCode": "200", "description": "

if child teams exist

" } - ], - "descriptionHTML": "

Lists the child teams of the team specified by {team_slug}.

\n

Note

\n

\nYou can also specify a team by org_id and team_id using the route GET /organizations/{org_id}/team/{team_id}/teams.

\n
" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -519682,13 +519682,13 @@ } ], "previews": [], + "descriptionHTML": "

Get a specific comment on a team discussion.

\n

Note

\n

\nYou can also specify a team by org_id and team_id using the route GET /organizations/{org_id}/team/{team_id}/discussions/{discussion_number}/comments/{comment_number}.

\n
\n

OAuth app tokens and personal access tokens (classic) need the read:discussion scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Get a specific comment on a team discussion.

\n

Note

\n

\nYou can also specify a team by org_id and team_id using the route GET /organizations/{org_id}/team/{team_id}/discussions/{discussion_number}/comments/{comment_number}.

\n
\n

OAuth app tokens and personal access tokens (classic) need the read:discussion scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -524001,13 +524001,13 @@ } ], "previews": [], + "descriptionHTML": "

Edits the title and body text of a discussion post. Only the parameters you provide are updated.

\n

Note

\n

\nYou can also specify a team by org_id and team_id using the route PATCH /organizations/{org_id}/team/{team_id}/discussions/{discussion_number}.

\n
\n

OAuth app tokens and personal access tokens (classic) need the write:discussion scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ], - "descriptionHTML": "

Edits the title and body text of a discussion post. Only the parameters you provide are updated.

\n

Note

\n

\nYou can also specify a team by org_id and team_id using the route PATCH /organizations/{org_id}/team/{team_id}/discussions/{discussion_number}.

\n
\n

OAuth app tokens and personal access tokens (classic) need the write:discussion scope to use this endpoint.

" + ] }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -526857,13 +526857,13 @@ } ], "previews": [], + "descriptionHTML": "

Deletes a connection between a team and an external group.

\n

You can manage team membership with your IdP using Enterprise Managed Users for GitHub Enterprise Cloud. For more information, see GitHub's products in the GitHub Help documentation.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ], - "descriptionHTML": "

Deletes a connection between a team and an external group.

\n

You can manage team membership with your IdP using Enterprise Managed Users for GitHub Enterprise Cloud. For more information, see GitHub's products in the GitHub Help documentation.

" + ] } ], "members": [ diff --git a/src/rest/data/ghes-3.17-2022-11-28/schema.json b/src/rest/data/ghes-3.17-2022-11-28/schema.json index 39bdb03da54d..febff2d78999 100644 --- a/src/rest/data/ghes-3.17-2022-11-28/schema.json +++ b/src/rest/data/ghes-3.17-2022-11-28/schema.json @@ -1080,13 +1080,13 @@ } ], "previews": [], - "descriptionHTML": "

Gets the GitHub Actions cache usage policy for an enterprise.

\n

OAuth tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "

Gets the GitHub Actions cache usage policy for an enterprise.

\n

OAuth tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -3100,13 +3100,13 @@ } ], "previews": [], - "descriptionHTML": "

Gets the selected actions that are allowed in an enterprise. To use this endpoint, the enterprise permission policy for allowed_actions must be configured to selected. For more information, see \"Set GitHub Actions permissions for an enterprise.\"

\n

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "

Gets the selected actions that are allowed in an enterprise. To use this endpoint, the enterprise permission policy for allowed_actions must be configured to selected. For more information, see \"Set GitHub Actions permissions for an enterprise.\"

\n

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -3178,13 +3178,13 @@ } ], "previews": [], - "descriptionHTML": "

Sets the actions that are allowed in an enterprise. To use this endpoint, the enterprise permission policy for allowed_actions must be configured to selected. For more information, see \"Set GitHub Actions permissions for an enterprise.\"

\n

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ] + ], + "descriptionHTML": "

Sets the actions that are allowed in an enterprise. To use this endpoint, the enterprise permission policy for allowed_actions must be configured to selected. For more information, see \"Set GitHub Actions permissions for an enterprise.\"

\n

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -3326,13 +3326,13 @@ } ], "previews": [], - "descriptionHTML": "

Sets the default workflow permissions granted to the GITHUB_TOKEN when running workflows in an enterprise, and sets\nwhether GitHub Actions can submit approving pull request reviews. For more information, see\n\"Enforcing a policy for workflow permissions in your enterprise.\"

\n

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

Success response

" } - ] + ], + "descriptionHTML": "

Sets the default workflow permissions granted to the GITHUB_TOKEN when running workflows in an enterprise, and sets\nwhether GitHub Actions can submit approving pull request reviews. For more information, see\n\"Enforcing a policy for workflow permissions in your enterprise.\"

\n

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -5112,13 +5112,13 @@ } ], "previews": [], - "descriptionHTML": "

Gets the default workflow permissions granted to the GITHUB_TOKEN when running workflows in an organization,\nas well as whether GitHub Actions can submit approving pull request reviews. For more information, see\n\"Setting the permissions of the GITHUB_TOKEN for your organization.\"

\n

OAuth tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "

Gets the default workflow permissions granted to the GITHUB_TOKEN when running workflows in an organization,\nas well as whether GitHub Actions can submit approving pull request reviews. For more information, see\n\"Setting the permissions of the GITHUB_TOKEN for your organization.\"

\n

OAuth tokens and personal access tokens (classic) need the admin:org scope to use this endpoint.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -8142,13 +8142,13 @@ } ], "previews": [], - "descriptionHTML": "

Gets your public key, which you need to encrypt secrets. You need to\nencrypt a secret before you can create or update secrets.

\n

Anyone with read access to the repository can use this endpoint.

\n

If the repository is private, OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "

Gets your public key, which you need to encrypt secrets. You need to\nencrypt a secret before you can create or update secrets.

\n

Anyone with read access to the repository can use this endpoint.

\n

If the repository is private, OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -9445,13 +9445,13 @@ } ], "previews": [], - "descriptionHTML": "

Creates a new self-hosted runner group for an enterprise.

\n

OAuth app tokens and personal access tokens (classic) need the manage_runners:enterprise scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "201", "description": "

Created

" } - ] + ], + "descriptionHTML": "

Creates a new self-hosted runner group for an enterprise.

\n

OAuth app tokens and personal access tokens (classic) need the manage_runners:enterprise scope to use this endpoint.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -10474,13 +10474,13 @@ } ], "previews": [], - "descriptionHTML": "

Lists the self-hosted runners that are in a specific enterprise group.

\n

OAuth app tokens and personal access tokens (classic) need the manage_runners:enterprise scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "

Lists the self-hosted runners that are in a specific enterprise group.

\n

OAuth app tokens and personal access tokens (classic) need the manage_runners:enterprise scope to use this endpoint.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -13602,13 +13602,13 @@ } ], "previews": [], - "descriptionHTML": "

Lists all self-hosted runners configured for an enterprise.

\n

OAuth app tokens and personal access tokens (classic) need the manage_runners:enterprise scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "

Lists all self-hosted runners configured for an enterprise.

\n

OAuth app tokens and personal access tokens (classic) need the manage_runners:enterprise scope to use this endpoint.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -18705,13 +18705,13 @@ } ], "previews": [], - "descriptionHTML": "

Returns a token that you can pass to the config script. The token expires after one hour.

\n

For example, you can replace TOKEN in the following example with the registration token provided by this endpoint to configure your self-hosted runner:

\n
./config.sh --url https://github.com/octo-org --token TOKEN\n
\n

Authenticated users must have admin access to the organization to use this endpoint.

\n

OAuth tokens and personal access tokens (classic) need theadmin:org scope to use this endpoint. If the repository is private, OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "201", "description": "

Created

" } - ] + ], + "descriptionHTML": "

Returns a token that you can pass to the config script. The token expires after one hour.

\n

For example, you can replace TOKEN in the following example with the registration token provided by this endpoint to configure your self-hosted runner:

\n
./config.sh --url https://github.com/octo-org --token TOKEN\n
\n

Authenticated users must have admin access to the organization to use this endpoint.

\n

OAuth tokens and personal access tokens (classic) need theadmin:org scope to use this endpoint. If the repository is private, OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -35577,13 +35577,13 @@ } ], "previews": [], - "descriptionHTML": "

Anyone with read access to the repository can use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint with a private repository.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "

Anyone with read access to the repository can use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint with a private repository.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -38725,7 +38725,6 @@ } ], "previews": [], - "descriptionHTML": "

Cancels a workflow run and bypasses conditions that would otherwise cause a workflow execution to continue, such as an always() condition on a job.\nYou should only use this endpoint to cancel a workflow run when the workflow run is not responding to POST /repos/{owner}/{repo}/actions/runs/{run_id}/cancel.

\n

OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "202", @@ -38735,7 +38734,8 @@ "httpStatusCode": "409", "description": "

Conflict

" } - ] + ], + "descriptionHTML": "

Cancels a workflow run and bypasses conditions that would otherwise cause a workflow execution to continue, such as an always() condition on a job.\nYou should only use this endpoint to cancel a workflow run when the workflow run is not responding to POST /repos/{owner}/{repo}/actions/runs/{run_id}/cancel.

\n

OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -67031,13 +67031,13 @@ } ], "previews": [], - "descriptionHTML": "

This is the user's organization dashboard. You must be authenticated as the user to view this.

\n

Note

\n

\nThis API is not built to serve real-time use cases. Depending on the time of day, event latency can be anywhere from 30s to 6h.

\n
", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "

This is the user's organization dashboard. You must be authenticated as the user to view this.

\n

Note

\n

\nThis API is not built to serve real-time use cases. Depending on the time of day, event latency can be anywhere from 30s to 6h.

\n
" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -88263,13 +88263,13 @@ } ], "previews": [], - "descriptionHTML": "

Lists repositories a user has starred.

\n

This endpoint supports the following custom media types. For more information, see \"Media types.\"

\n
    \n
  • application/vnd.github.star+json: Includes a timestamp of when the star was created.
    • \n
", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "

Lists repositories a user has starred.

\n

This endpoint supports the following custom media types. For more information, see \"Media types.\"

\n
    \n
  • application/vnd.github.star+json: Includes a timestamp of when the star was created.
    • \n
" } ], "watching": [ @@ -103926,13 +103926,13 @@ } ], "previews": [], - "descriptionHTML": "

Revokes the installation token you're using to authenticate as an installation and access this endpoint.

\n

Once an installation token is revoked, the token is invalidated and cannot be used. Other endpoints that require the revoked installation token must have a new installation token to work. You can create a new token using the \"Create an installation access token for an app\" endpoint.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ] + ], + "descriptionHTML": "

Revokes the installation token you're using to authenticate as an installation and access this endpoint.

\n

Once an installation token is revoked, the token is invalidated and cannot be used. Other endpoints that require the revoked installation token must have a new installation token to work. You can create a new token using the \"Create an installation access token for an app\" endpoint.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -109664,13 +109664,13 @@ } ], "previews": [], - "descriptionHTML": "

Gets the GitHub Advanced Security active committers for an organization per repository.

\n

Each distinct user login across all repositories is counted as a single Advanced Security seat, so the total_advanced_security_committers is not the sum of advanced_security_committers for each repository.

\n

If this organization defers to an enterprise for billing, the total_advanced_security_committers returned from the organization API may include some users that are in more than one organization, so they will only consume a single Advanced Security seat at the enterprise level.

\n

The total number of repositories with committer information is tracked by the total_count field.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

Success

" } - ] + ], + "descriptionHTML": "

Gets the GitHub Advanced Security active committers for an organization per repository.

\n

Each distinct user login across all repositories is counted as a single Advanced Security seat, so the total_advanced_security_committers is not the sum of advanced_security_committers for each repository.

\n

If this organization defers to an enterprise for billing, the total_advanced_security_committers returned from the organization API may include some users that are in more than one organization, so they will only consume a single Advanced Security seat at the enterprise level.

\n

The total number of repositories with committer information is tracked by the total_count field.

" } ] }, @@ -209918,13 +209918,13 @@ } ], "previews": [], - "descriptionHTML": "", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -211037,13 +211037,13 @@ } ], "previews": [], - "descriptionHTML": "

Gets the audit log for an enterprise.

\n

The authenticated user must be an enterprise admin to use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "

Gets the audit log for an enterprise.

\n

The authenticated user must be an enterprise admin to use this endpoint.

\n

OAuth app tokens and personal access tokens (classic) need the admin:enterprise scope to use this endpoint.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -211109,13 +211109,13 @@ } ], "previews": [], - "descriptionHTML": "

Retrieves the audit log streaming public key for encrypting secrets.

\n

When using this endpoint, you must encrypt the credentials following the same encryption steps as outlined in the guide on encrypting secrets. See \"Encrypting secrets for the REST API.\"

", "statusCodes": [ { "httpStatusCode": "200", "description": "

The stream key for the audit log streaming configuration was retrieved successfully.

" } - ] + ], + "descriptionHTML": "

Retrieves the audit log streaming public key for encrypting secrets.

\n

When using this endpoint, you must encrypt the credentials following the same encryption steps as outlined in the guide on encrypting secrets. See \"Encrypting secrets for the REST API.\"

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -215707,7 +215707,6 @@ } ], "previews": [], - "descriptionHTML": "

Get node metadata for all configured nodes in the current cluster. For more information, see \"About clustering.\"

", "statusCodes": [ { "httpStatusCode": "200", @@ -215721,7 +215720,8 @@ "httpStatusCode": "500", "description": "

Internal error

" } - ] + ], + "descriptionHTML": "

Get node metadata for all configured nodes in the current cluster. For more information, see \"About clustering.\"

" }, { "serverUrl": "http(s)://HOSTNAME", @@ -219546,13 +219546,13 @@ } ], "previews": [], - "descriptionHTML": "", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -356710,13 +356710,13 @@ } ], "previews": [], - "descriptionHTML": "

List all users who are outside collaborators of an organization.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "

List all users who are outside collaborators of an organization.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -374883,13 +374883,13 @@ } ], "previews": [], - "descriptionHTML": "

Gets a specific package in an organization.

\n

OAuth app tokens and personal access tokens (classic) need the read:packages scope to use this endpoint. For more information, see \"About permissions for GitHub Packages.\"

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "

Gets a specific package in an organization.

\n

OAuth app tokens and personal access tokens (classic) need the read:packages scope to use this endpoint. For more information, see \"About permissions for GitHub Packages.\"

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -375594,13 +375594,13 @@ } ], "previews": [], - "descriptionHTML": "

Gets a specific package version in an organization.

\n

OAuth app tokens and personal access tokens (classic) need the read:packages scope to use this endpoint. For more information, see \"About permissions for GitHub Packages.\"

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "

Gets a specific package version in an organization.

\n

OAuth app tokens and personal access tokens (classic) need the read:packages scope to use this endpoint. For more information, see \"About permissions for GitHub Packages.\"

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -386246,13 +386246,13 @@ } ], "previews": [], - "descriptionHTML": "

Lists builts of a GitHub Enterprise Server Pages site.

\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "

Lists builts of a GitHub Enterprise Server Pages site.

\n

OAuth app tokens and personal access tokens (classic) need the repo scope to use this endpoint.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -418650,13 +418650,13 @@ } ], "previews": [], - "descriptionHTML": "

Lists all review comments for a specified pull request. By default, review comments\nare in ascending order by ID.

\n

This endpoint supports the following custom media types. For more information, see \"Media types.\"

\n
    \n
  • application/vnd.github-commitcomment.raw+json: Returns the raw markdown body. Response will include body. This is the default if you do not pass any specific media type.
    • \n
  • application/vnd.github-commitcomment.text+json: Returns a text only representation of the markdown body. Response will include body_text.
    • \n
  • application/vnd.github-commitcomment.html+json: Returns HTML rendered from the body's markdown. Response will include body_html.
    • \n
  • application/vnd.github-commitcomment.full+json: Returns raw, text, and HTML representations. Response will include body, body_text, and body_html.
    • \n
", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "

Lists all review comments for a specified pull request. By default, review comments\nare in ascending order by ID.

\n

This endpoint supports the following custom media types. For more information, see \"Media types.\"

\n
    \n
  • application/vnd.github-commitcomment.raw+json: Returns the raw markdown body. Response will include body. This is the default if you do not pass any specific media type.
    • \n
  • application/vnd.github-commitcomment.text+json: Returns a text only representation of the markdown body. Response will include body_text.
    • \n
  • application/vnd.github-commitcomment.html+json: Returns HTML rendered from the body's markdown. Response will include body_html.
    • \n
  • application/vnd.github-commitcomment.full+json: Returns raw, text, and HTML representations. Response will include body, body_text, and body_html.
    • \n
" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -440154,7 +440154,6 @@ } ], "previews": [], - "descriptionHTML": "

List the reactions to a pull request review comment.

", "statusCodes": [ { "httpStatusCode": "200", @@ -440164,7 +440163,8 @@ "httpStatusCode": "404", "description": "

Resource not found

" } - ] + ], + "descriptionHTML": "

List the reactions to a pull request review comment.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -442301,13 +442301,13 @@ } ], "previews": [], - "descriptionHTML": "

Warning

\n

\nEndpoint closing down notice: This endpoint route is closing down and will be removed from the Teams API. We recommend migrating your existing code to use the new List reactions for a team discussion comment endpoint.

\n
\n

List the reactions to a team discussion comment.

\n

OAuth app tokens and personal access tokens (classic) need the read:discussion scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "

Warning

\n

\nEndpoint closing down notice: This endpoint route is closing down and will be removed from the Teams API. We recommend migrating your existing code to use the new List reactions for a team discussion comment endpoint.

\n
\n

List the reactions to a team discussion comment.

\n

OAuth app tokens and personal access tokens (classic) need the read:discussion scope to use this endpoint.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -519800,11 +519800,12 @@ "bodyParameters": [], "progAccess": { "userToServerRest": true, - "serverToServer": false, + "serverToServer": true, "fineGrainedPat": true, "permissions": [ { - "\"Secret scanning alerts\" repository permissions": "read" + "\"Secret scanning alerts\" repository permissions": "read", + "\"Organization bypass requests for secret scanning\" organization permissions": "read" } ] }, @@ -520233,11 +520234,12 @@ "bodyParameters": [], "progAccess": { "userToServerRest": true, - "serverToServer": false, + "serverToServer": true, "fineGrainedPat": true, "permissions": [ { - "\"Secret scanning alerts\" repository permissions": "read" + "\"Secret scanning alerts\" repository permissions": "read", + "\"Organization bypass requests for secret scanning\" organization permissions": "read" } ] }, @@ -520608,11 +520610,12 @@ "bodyParameters": [], "progAccess": { "userToServerRest": true, - "serverToServer": false, + "serverToServer": true, "fineGrainedPat": true, "permissions": [ { - "\"Secret scanning alerts\" repository permissions": "read" + "\"Secret scanning alerts\" repository permissions": "read", + "\"Organization bypass requests for secret scanning\" organization permissions": "read" } ] }, @@ -520954,11 +520957,12 @@ ], "progAccess": { "userToServerRest": true, - "serverToServer": false, + "serverToServer": true, "fineGrainedPat": true, "permissions": [ { - "\"Secret scanning alerts\" repository permissions": "read" + "\"Secret scanning alerts\" repository permissions": "read", + "\"Organization bypass requests for secret scanning\" organization permissions": "write" } ] }, @@ -528284,13 +528288,13 @@ } ], "previews": [], - "descriptionHTML": "

Lists a team's repositories visible to the authenticated user.

\n

Note

\n

\nYou can also specify a team by org_id and team_id using the route GET /organizations/{org_id}/team/{team_id}/repos.

\n
", "statusCodes": [ { "httpStatusCode": "200", "description": "

OK

" } - ] + ], + "descriptionHTML": "

Lists a team's repositories visible to the authenticated user.

\n

Note

\n

\nYou can also specify a team by org_id and team_id using the route GET /organizations/{org_id}/team/{team_id}/repos.

\n
" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -538291,13 +538295,13 @@ } ], "previews": [], - "descriptionHTML": "

Deletes a comment on a team discussion.

\n

Note

\n

\nYou can also specify a team by org_id and team_id using the route DELETE /organizations/{org_id}/team/{team_id}/discussions/{discussion_number}/comments/{comment_number}.

\n
\n

OAuth app tokens and personal access tokens (classic) need the write:discussion scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ] + ], + "descriptionHTML": "

Deletes a comment on a team discussion.

\n

Note

\n

\nYou can also specify a team by org_id and team_id using the route DELETE /organizations/{org_id}/team/{team_id}/discussions/{discussion_number}/comments/{comment_number}.

\n
\n

OAuth app tokens and personal access tokens (classic) need the write:discussion scope to use this endpoint.

" }, { "serverUrl": "http(s)://HOSTNAME/api/v3", @@ -544119,13 +544123,13 @@ } ], "previews": [], - "descriptionHTML": "

Warning

\n

\nEndpoint closing down notice: This endpoint route is closing down and will be removed from the Teams API. We recommend migrating your existing code to use the new Delete a discussion endpoint.

\n
\n

Delete a discussion from a team's page.

\n

OAuth app tokens and personal access tokens (classic) need the write:discussion scope to use this endpoint.

", "statusCodes": [ { "httpStatusCode": "204", "description": "

No Content

" } - ] + ], + "descriptionHTML": "

Warning

\n

\nEndpoint closing down notice: This endpoint route is closing down and will be removed from the Teams API. We recommend migrating your existing code to use the new Delete a discussion endpoint.

\n
\n

Delete a discussion from a team's page.

\n

OAuth app tokens and personal access tokens (classic) need the write:discussion scope to use this endpoint.

" } ], "external-groups": [ From ad8707e8e3608dbfd6a92cf741d3830e60c3a769 Mon Sep 17 00:00:00 2001 From: Kevin Heis Date: Wed, 16 Jul 2025 10:51:28 -0700 Subject: [PATCH 6/6] Configure british-english-quotes rule to only run in pre-commit (#56664) --- src/content-linter/scripts/lint-content.js | 3 +++ src/content-linter/style/github-docs.js | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/content-linter/scripts/lint-content.js b/src/content-linter/scripts/lint-content.js index ac9365ff6152..81e7c2367073 100755 --- a/src/content-linter/scripts/lint-content.js +++ b/src/content-linter/scripts/lint-content.js @@ -553,6 +553,9 @@ function getMarkdownLintConfig(errorsOnly, runRules) { if (runRules && !runRules.includes(ruleName)) continue + // Skip british-english-quotes rule in CI/PRs (only run in pre-commit) + if (ruleName === 'british-english-quotes' && !isPrecommit) continue + // There are a subset of rules run on just the frontmatter in files if (githubDocsFrontmatterConfig[ruleName]) { config.frontMatter[ruleName] = ruleConfig diff --git a/src/content-linter/style/github-docs.js b/src/content-linter/style/github-docs.js index 706fc8cc5462..5da71383d4af 100644 --- a/src/content-linter/style/github-docs.js +++ b/src/content-linter/style/github-docs.js @@ -14,7 +14,7 @@ export const reportingConfig = { // Add rule names here if you want to suppress them from reports excludeRules: [ // Example: 'GHD030' // Uncomment to exclude code-fence-line-length warnings - // Example: 'british-english-quotes' // Uncomment to exclude punctuation warnings + 'british-english-quotes', // Exclude from reports but keep for pre-commit ], } @@ -215,6 +215,7 @@ const githubDocsConfig = { 'british-english-quotes': { // GHD048 severity: 'warning', + precommitSeverity: 'warning', // Show warnings locally for writer awareness 'partial-markdown-files': true, 'yml-files': true, },